This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
[fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]
- To: libc-alpha at sources dot redhat dot com
- Subject: [fyre@box3n.gumbynet.org: Re: ld-2.1.3.so allows users to run programs from noexec partition]
- From: "Rodrigo Barbosa (aka morcego)" <rodrigob at conectiva dot com dot br>
- Date: Mon, 4 Sep 2000 15:26:57 -0300
Anything new on this field ? ld-2.1.93.so still executes the file.
[]s
----- Forwarded message from Tim Robbins <fyre@box3n.gumbynet.org> -----
Date: Mon, 4 Sep 2000 12:28:13 +1100 (EST)
From: Tim Robbins <fyre@box3n.gumbynet.org>
To: security-audit@ferret.lmh.ox.ac.uk
Subject: Re: ld-2.1.3.so allows users to run programs from noexec partition
As far as I can tell, Michal Zalewski was the first to announce this in a
post to Bugtraq:
http://www.securityportal.com/list-archive/bugtraq/1999/Aug/0281.html
Tim
--
Tim Robbins
fyre@box3n.gumbynet.org
.. Now KEN and BARBIE are PERMANENTLY ADDICTED to MIND-ALTERING DRUGS..
- Zippy the pinhead
On Sun, 3 Sep 2000, Jarno Huuskonen wrote:
> Hi !
>
> While reading deja.com sfnet.atk.linux newsgroup archive I noticed that
> someone had reported that using ld-linux it's possible to run programs
> from noexec partitions. Here's a test I made and it seems to work:
>
> Noexec partition created:
> /tmp/oops.ext2 on /tmp/oops type ext2 (rw,noexec,loop=/dev/loop0)
>
> copied /bin/date to /tmp/oops
> /tmp/oops/date
> --> bash2: /tmp/oops/date: Permission denied
> /lib/ld-2.1.3.so /tmp/oops/date
> --> prints date
>
> I also made a hello world program in /tmp/oops and ld runs it quite nicely.
>
> It looks like it's quite hard to disallow users from running their
> own programs.
> (This was on a RedHat 6.2 with the latest security fixed glibc).
>
> -Jarno
>
> PS. Does anyone know under what condition did the glibc allow setuid
> programs to use LANG etc. env.variables ? A while back when having
> a look at ncpfs I thought that using LANG with setuid programs might be
> nice way to get root, but after looking at the source it seemed that
> if the env.variable had '/' in it glibc refused to use it.
>
> --
> Jarno Huuskonen - System Administrator | Jarno.Huuskonen@uku.fi
> University of Kuopio - Computer Center | Work: +358 17 162822
> PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169
>
----- End forwarded message -----
--
/* Rodrigo Barbosa - A.K.A. morcego */
/* rodrigob@conectiva.com.br - Conectiva R&D Team */
/* "Quis custodiet custodias?" - Juvenal */
PGP signature