Re: suid binaries evaluate LD_PRELOAD?
On Mon, Jul 14, 2003 at 10:46:17AM +0200, Caspar Bothmer wrote:
> Package: glibc
> Version: different versions
> Distribution: Debian woody, sid, other Non-Debian (SuSE,RH, Gentoo)
> Unaffected: Debian potato (at least my installation)
> Vulnerable: yes, local, privilege escalation
But is it actually exploitable or do you just see the error message?
Glibc will generally resolve the path, and then decide whether it is in
a trusted directory or not. For instance, all LD_PRELOAD items with a
'/' in them are ignored and only trusted directories are searched.
> Reproducible: always
>
> Behaviour: LD_PRELOAD gets evaluated:
> caspar@marvin:~$ LD_PRELOAD=funny /bin/su
> /bin/su: error while loading shared libraries: funny: cannot open shared
> object file: No such file or directory
> caspar@marvin:~$
>
> Should be: no evaluation:
> caspar@marvin:~$ LD_PRELOAD=funny /bin/su
> Password:
>
> Known problem: reported in 1998, also fix in DSA-039-1, Mar 8, 2001
>
> Reported to me by: Sascha Silbe
> Initial Bugreport by Sascha Silbe:
> http://bugs.gentoo.org/show_bug.cgi?id=24332
>
>
> Please fix this bug.
>
>
> bye
>
> caspar
--
Daniel Jacobowitz
MontaVista Software Debian GNU/Linux Developer
Reply to: