[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suid binaries evaluate LD_PRELOAD?

On Mon, Jul 14, 2003 at 10:46:17AM +0200, Caspar Bothmer wrote:
> Package: glibc
> Version: different versions
> Distribution: Debian woody, sid, other Non-Debian (SuSE,RH, Gentoo)
> Unaffected: Debian potato (at least my installation)
> Vulnerable: yes, local, privilege escalation

But is it actually exploitable or do you just see the error message?

Glibc will generally resolve the path, and then decide whether it is in
a trusted directory or not.  For instance, all LD_PRELOAD items with a
'/' in them are ignored and only trusted directories are searched.

> Reproducible: always
> 
> Behaviour: LD_PRELOAD gets evaluated:
> caspar@marvin:~$ LD_PRELOAD=funny /bin/su
> /bin/su: error while loading shared libraries: funny: cannot open shared
> object file: No such file or directory
> caspar@marvin:~$
> 
> Should be: no evaluation:
> caspar@marvin:~$ LD_PRELOAD=funny /bin/su
> Password:
> 
> Known problem: reported in 1998, also fix in DSA-039-1, Mar 8, 2001
> 
> Reported to me by: Sascha Silbe
> Initial Bugreport by Sascha Silbe:
> http://bugs.gentoo.org/show_bug.cgi?id=24332
> 
> 
> Please fix this bug.
> 
> 
> bye
> 
> caspar



-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer
Reply to: