Guest / Items
ldd arbitrary code execution - good coders code, great reuse
Get Feed- Description
-
Nothing delights me more than great books.
If you like my blog, I'd be thankful for a gift from my Amazon book wishlist . :)
26 Oct 2009 07:15 amThe `ldd` utility is more vulnerable than you think. It’s frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong!
In this article I am going to show you how to create an executable that runs arbitrary code if it’s examined by `ldd`. I have also written a social engineering scenario on how you can get your sysadmin to unknowingly hand you his privileges.
I researched this subject thoroughly and found that it’s almost completely undocumented. I have no idea how this could have gone unnoticed for such a long time. Here are the only few documents that mention this interesting behavior: 1 , 2 , 3 , 4 .
First let’s understand how `ldd` works. Take a look at these three examples:
[1] $ ldd /bin/grep linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/libc.so.6 (0xb7eca000) /lib/ld-linux.so.2 (0xb801e000) [2] $ LD_TRACE_LOADED_OBJECTS=1 /bin/grep linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/libc.so.6 (0xb7e30000) /lib/ld-linux.so.2 (0xb7f84000) [3] $ LD_TRACE_LOADED_OBJECTS=1 /lib/ld-linux.so.2 /bin/grep linux-gate.so.1 => (0xffffe000) libc.so.6 => /lib/libc.so.6 (0xb7f7c000) /lib/ld-linux.so.2 (0xb80d0000)
The first command [1] runs `ldd` on `/bin/grep`. The output is what we expect — a list of dynamic libraries that `/bin/grep` depends on.
The second command [2] sets the LD_TRACE_LOADED_OBJECTS environment variable and seemingly executes `/bin/grep` (but not quite). Surprisingly the output is the same!
The third command [3] again sets the LD_TRACE_LOADED_OBJECTS environment variable, calls the dynamic linker/loader `ld-linux.so` and passes `/bin/grep` to it as an argument. The output is again the same!
What’s going on here?
It turns out that `ldd` is nothing more than a wrapper around the ...
- Original URL
Comments
Report ThisTwine is about discovering, collecting and sharing the content that interests you. Learn More
Join Twine
aggregatorsWho's Interested In This?
-
shal added to Linux, Linux at home, Linux & Open Source, Security, LinuxSysAdmin, Security 5 weeks ago
Public Comments
-
aggregators
4 weeks ago
-
shal
4 weeks ago
-
aggregators
4 weeks ago
Add a Comment- Some HTML is allowed.
- Reply
- Cancel
- Submit
Linux- Some HTML is allowed.
- Reply
- Cancel
- Submit
Linux- Some HTML is allowed.
- Reply
- Cancel
- Submit
Linux