This is the mail archive of the libc-alpha@sources.redhat.com mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]

[fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]

To: libc-alpha at sources dot redhat dot com
Subject: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]
From: "Rodrigo Barbosa (aka morcego)" <rodrigob at conectiva dot com dot br>
Date: Mon, 4 Sep 2000 15:26:57 -0300

Anything new on this field ? ld-2.1.93.so still executes the file.

[]s

----- Forwarded message from Tim Robbins <fyre@box3n.gumbynet.org> -----

Date: Mon, 4 Sep 2000 12:28:13 +1100 (EST)
From: Tim Robbins <fyre@box3n.gumbynet.org>
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: ld-2.1.3.so allows users to run programs from noexec partition

As far as I can tell, Michal Zalewski was the first to announce this in a
post to Bugtraq:

http://www.securityportal.com/list-archive/bugtraq/1999/Aug/0281.html

Tim

--
Tim Robbins
fyre@box3n.gumbynet.org

..  Now KEN and BARBIE are PERMANENTLY ADDICTED to MIND-ALTERING DRUGS..
                            - Zippy the pinhead


On Sun, 3 Sep 2000, Jarno Huuskonen wrote:

> Hi !
> 
> While reading deja.com sfnet.atk.linux newsgroup archive I noticed that
> someone had reported that using ld-linux it's possible to run programs
> from noexec partitions. Here's a test I made and it seems to work:
> 
> Noexec partition created:
> /tmp/oops.ext2 on /tmp/oops type ext2 (rw,noexec,loop=/dev/loop0)
> 
> copied /bin/date to /tmp/oops
> /tmp/oops/date
> --> bash2: /tmp/oops/date: Permission denied
> /lib/ld-2.1.3.so /tmp/oops/date
> --> prints date
> 
> I also made a hello world program in /tmp/oops and ld runs it quite nicely.
> 
> It looks like it's quite hard to disallow users from running their 
> own programs.
> (This was on a RedHat 6.2 with the latest security fixed glibc).
> 
> -Jarno
> 
> PS. Does anyone know under what condition did the glibc allow setuid 
>     programs to use LANG etc. env.variables ? A while back when having
> 		a look at ncpfs I thought that using LANG with setuid programs might be 
> 		nice way to get root, but after looking at the source it seemed that
>     if the env.variable had '/' in it glibc refused to use it.
> 
> -- 
> Jarno Huuskonen - System Administrator   |  Jarno.Huuskonen@uku.fi
> University of Kuopio - Computer Center   |  Work:   +358 17 162822
> PO BOX 1627, 70211 Kuopio, Finland       |  Mobile: +358 40 5388169
> 


----- End forwarded message -----

-- 
 /*        Rodrigo Barbosa -  A.K.A. morcego       */
 /* rodrigob@conectiva.com.br - Conectiva R&D Team */
 /*      "Quis custodiet custodias?" - Juvenal     */

PGP signature

Follow-Ups:
- Re: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]
  - From: Ben Collins

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]