Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
Linux 'ld-linux.so.2' Dynamic Linker Allows Local Users to Execute Programs For Which They Do Not Have Execute Permissions
|
Updated: Apr 24 2002
|
Original Entry Date: Apr 23 2002
|
Impact: User access via local system
|
Exploit Included: Yes
|
Description: A vulnerability was reported in the Linux 'ld-linux.so.2' dynamic linker. A local user can use this to execute binaries for which they have read but not execute privileges.
It is reported that a local user can execute any binary for which they have read privileges using '/lib/ld-linux.so.2', even if the
user does not have execute privileges for the binary. The user must specify the full path, as in the following form:
/lib/ld-linux.so.2
./read-but-not-execute-binary
This apparently also allows a local user to execute binaries that are on a 'noexec' partition.
Several
users have written that this is not a vulnerability, but is the expected behavior of the function. They indicate that you cannot
prevent users from executing a program when still giving the user read privileges, as the user can copy the program to another directory
and chmod +x the file to get execute privileges.
|
Impact: A local user can execute binaries that the user does not have execute privileges for (if they have read privileges).
Several users have written that this is not a true vulnerability (see the Description section).
|
Solution: No solution was available at the time of this entry.
|
Cause: Access control error
|
Underlying OS: Linux (Any)
|
Reported By: Sabau Daniel <draven@UBBCluj.Ro>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 22 Apr 2002 09:43:32 +0300 (EEST)
From: Sabau Daniel <draven@UBBCluj.Ro>
Subject: /lib/ld-2.2.4.so
|
or:
lrwxrwxrwx 1 root root 11 Apr 15 12:01 /lib/ld-linux.so.2
-> ld-2.2.4.so
This file gives users the ability of running binaries on witch the
user doesn't have the permission to execute, it is enough to have read
ability on the file in order to execute it:
-rwxr-xr-- 1 root root 45948 Aug 9 2001 /bin/ls
but using the /lib/ld-2.2.4.so file i can execute the ls command:
[08:51:36][draven@Zero:~]:$/lib/ld-2.2.4.so /bin/ls /
bin bzImage bzImage3 bzImage5 dev home lib mnt proc sbin
usr
boot bzImage2 bzImage4 bzImage6 etc initrd misc opt root tmp
var
i do not have root preveleges on this account:
[08:51:38][draven@Zero:~]:$id
uid=1000(draven) gid=10(wheel) groups=10(wheel),16(trust)
The most interesting part is running binaries on partitions mounted with
noexec, lets take this partition:
/dev/sda9 on /home/friends type ext2
(rw,noexec,nosuid,nodev,usrquota,grpquota)
i've created a shell acount with the home directory:
[mjj@Zero mjj]$ pwd
/home/friends/mjj
and wrote this C code in a file test.c
#include <stdio.h>
void main(void)
printf ("Test");
i've compiled it & tryed to run:
[mjj@Zero mjj]$ ./a.out
bash: ./a.out: Permission denied
but when i try to run it with /lib/ld-2.2.4.so:
[mjj@Zero mjj]$ /lib/ld-2.2.4.so ./a.out
Test
the important thing is to include a full path in the binary name to be
able to execute it.
in the same way i've managed to run the ptrace exploit on a nosuid
partition
i'm running a 2.4.18 kernel with grsecurity-1.9.4 patch on a Red Hat
Linux 7.2 box, but i've succeded running this file on different linux
boxes and i've been succesfull, please if anyone know how to eliminate
this hole in my security give me a replay. If i try to change the mode on
/lib/ls-2.2.4.so to 700, the users will not be able to login on my linux
box, so this is not a solution:)
10x,
Dan Sabau
--
"From all the things I lost,
My mind, I miss the most!"
echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
|
|
Go to the Top of This SecurityTracker Archive Page
|
