Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries

To: GOTO Masanori <gotom@debian.or.jp>
Cc: 272210@bugs.debian.org
Subject: Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>
Date: Sun, 26 Sep 2004 15:34:07 +0200
Message-id: <[🔎] 1096205647.4156c54f30e55@webmail.uu.se>
Reply-to: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>, 272210@bugs.debian.org
In-reply-to: <[🔎] 81isa2obcg.wl@omega.webmasters.gr.jp>
References: <[🔎] 1095506408.414c19e8aae86@webmail.uu.se> <[🔎] 87pt4j6pbm.wl@rhodes.gotom.jp> <[🔎] 1095606750.414da1dee287d@webmail.uu.se> <[🔎] 81isa2obcg.wl@omega.webmasters.gr.jp>

Quoting GOTO Masanori <gotom@debian.or.jp>:

> How to allow pauses and single-stepping?  Bugtraq does not say about
> the latter things.

http://seclists.org/lists/bugtraq/2004/Aug/0281.html

"You can essentially single-step through the 
library calls of a binary by turning on verbose debugging through 
LD_DEBUG and then carefully controlling stdout so that the program 
blocks while writing the debugging output. I've used this to exploit 
race conditions in setuid binaries that would otherwise be nearly 
impossible to trigger."
-- Jim Paris

You basically pipe the program to some other program that stops reading when you
want to. I played around with this technique myself, without involving
LD_DEBUG:


$ perl -e 'while (1) { print scalar localtime, "\n"; }' | perl -e 'while (<>) {
print; sleep 1; }'
Sun Sep 26 12:11:08 2004
Sun Sep 26 12:11:08 2004
Sun Sep 26 12:11:08 2004
[..lots of copies of this line..]
Sun Sep 26 12:11:08 2004
Sun Sep 26 12:11:08 2004
Sun Sep 26 12:11:08 2004
Sun Sep 26 12:13:52 2004
[..paused for two and a half minutes!..]
Sun Sep 26 12:13:52 2004
Sun Sep 26 12:13:52 2004
Sun Sep 26 12:13:52 2004
[..lots of copies of this line..]
Sun Sep 26 12:13:52 2004
Sun Sep 26 12:13:52 2004
Sun Sep 26 12:13:52 2004
Sun Sep 26 12:16:38 2004
[..paused for two and a half minutes!..]
Sun Sep 26 12:16:38 2004
Sun Sep 26 12:16:38 2004
Sun Sep 26 12:16:38 2004
[..and so on..]


As you can see, you can make a program pause for several minutes with this
technique. I'm not quite sure where the buffering comes from, if it's Perl or
what. I suppose I should try this in some other language.

To sum up: LD_DEBUG prints lots of output, and that allows an attacker to
perform timing critical security attacks (doing nasty things between operations
like adding symlinks) by pausing a program at an arbitrary point. As suid/sgid
programs are the most security critical, libc6 should ignore LD_DEBUG when
running those.

-- 
Ulf Harnhammar
http://www.advogato.org/person/metaur/

Reply to:

Follow-Ups:
- Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
  - From: GOTO Masanori <gotom@debian.or.jp>

References:
- Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
  - From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>
- Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
  - From: GOTO Masanori <gotom@debian.or.jp>
- Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
  - From: Ulf Härnhammar <Ulf.Harnhammar.9485@student.uu.se>
- Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
  - From: GOTO Masanori <gotom@debian.or.jp>

Prev by Date: Bug#271428: Processed: your mail
Next by Date: Contact & Informations
Previous by thread: Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
Next by thread: Bug#272210: libc6: LD_DEBUG should be ignored for suid/sgid binaries
Index(es):
- Date
- Thread