Bug 64083 - System's secuirty
System's secuirty
Product: Red Hat Linux
Classification: Retired
Component: ld.so (Show other bugs)
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
: Security
Depends On:
  Show dependency treegraph
Reported: 2002-04-25 07:13 EDT by Need Real Name
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-04-26 10:25:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-04-25 07:13:15 EDT
Interesting.... don't you think?

./Joe Sec

-----Original Message-----
From: Sabau Daniel [mailto:draven@UBBCluj.Ro]
Sent: Monday, April 22, 2002 2:44 AM
To: vuln-dev@securityfocus.com
Cc: focus-linux@securityfocus.com
Subject: /lib/ld-2.2.4.so 

lrwxrwxrwx    1 root     root           11 Apr 15 12:01 /lib/ld-linux.so.2 
-> ld-2.2.4.so

	This file gives users the ability of running binaries on witch the 
user doesn't have the permission to execute, it is enough to have read 
ability on the file in order to execute it:

-rwxr-xr--    1 root     root        45948 Aug  9  2001 /bin/ls

but using the /lib/ld-2.2.4.so file i can execute the ls command:

[08:51:36][draven@Zero:~]:$/lib/ld-2.2.4.so /bin/ls /
bin   bzImage   bzImage3  bzImage5  dev  home    lib   mnt  proc  sbin  
boot  bzImage2  bzImage4  bzImage6  etc  initrd  misc  opt  root  tmp   

i do not have root preveleges on this account:

uid=1000(draven) gid=10(wheel) groups=10(wheel),16(trust)

The most interesting part is running binaries on partitions mounted with 
noexec, lets take this partition:

/dev/sda9 on /home/friends type ext2 

i've created a shell acount with the home directory:

[mjj@Zero mjj]$ pwd

and wrote this C code in a file test.c

#include <stdio.h>
void main(void)
        printf ("Test");

i've compiled it & tryed to run:

[mjj@Zero mjj]$ ./a.out
bash: ./a.out: Permission denied

but when i try to run it with /lib/ld-2.2.4.so:

[mjj@Zero mjj]$ /lib/ld-2.2.4.so ./a.out

the important thing is to include a full path in the binary name to be 
able to execute it.
in the same way i've managed to run the ptrace exploit on a nosuid 
i'm running a 2.4.18 kernel with grsecurity-1.9.4 patch on a Red Hat 
Linux 7.2 box, but i've succeded running this file on different linux 
boxes and i've been succesfull, please if anyone know how to eliminate 
this hole in my security give me a replay. If i try to change the mode on 
/lib/ls-2.2.4.so to 700, the users will not be able to login on my linux 
box, so this is not a solution:)

Dan Sabau


"From all the things I lost, 
My mind, I miss the most!"

echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
Comment 1 Jakub Jelinek 2002-04-26 10:25:50 EDT
How is this different from cp -a ./a.out /tmp/a.out; chmod +x /tmp/a.out; /tmp/a.out
? If you have read permissions, what stops you to copy it somewhere where you
can run it?

Note You need to log in before you can comment on or make changes to this bug.