On Wed, 25 Aug 1999, Michael K. Johnson wrote:
> Let's make sure we understand this correctly:
>
> #!/bin/sh
> /lib/ld-linux.so.2 "$@"
>
> is roughly equivalent to:
>
> #!/bin/sh
> file=$1
> shift
> cp $file /tmp
> /tmp/$file "$@"
> rm /tmp/$file
No, it isn't equivalent. Noone said /tmp is mounted with exec option. What
I'm trying to tell is that noexec is *NOT* a mechanism provided for
security reasons, and it's at least stupid to use it against hackers,
while a lot of administrators love restricting execution of custom
programs to prevent exploits, while this is the simpliest method (don't
even thinkin' about LD_PRELOAD and so on).
> And, of course, no one is capable of using mmap and PROT_EXEC to do
> their own ld-linux.so-like wrapper, especially since no one has the
> glibc source code to start from. ;-)
If noone is capable of using his own programs, noone is capable of using
his own linker.
> It is unfortunate that people think that it is a security feature, and
> I will say that you have found one of the more interesting and subtle
> ways to show that it is not a security feature, but this is NOT a
> glibc bug.
Yep, yep, sorry, I didn't wanted to say it's a bug (and didn't said it ;),
I say that it is the simpliest way to bypass noexec and security by
obscurity stinks ;P
Regards,
_______________________________________________________________________
Michal Zalewski [[EMAIL PROTECTED]] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
