Re: ldd arbitrary code execution - good coders code, great reuse
On 10/26/2009 at 11:46 AM, McKown, John john.mck...@healthmarkets.com wrote: This is a scary article. I don't have a Linux on z system to test it out on. Even if you did, it wouldn't help. Looks like uClibc doesn't know about s390[x] as a build target. I'm not going to spend the time enlightening it, so I have no way to test either. (Unless someone out there has done it already, or knows of another loader that will build.) Mark Post -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
McKown, John wrote: This is a scary article. I don't have a Linux on z system to test it out on. http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Oh, jeez, guys. This is a kid's trick. The victim has to be stupid enough to execute ldd against a binary in the scamming user's write permission domain. And it doesn't run as root when it runs, just as the moron who executed this idiotic command, ldd ~jwoehr/hacks/bogus_binary ? Keep users who would do such things out of shell access. Let 'em use the web interface you provide them instead, it's safer that way. -- Jack J. Woehr# «'I know what it means well enough, when I find http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
Also if you are now shying away from running ldd, just make sure the binary is of type ELF and you are safe, the examination not the execution will take place. To make sure something you are about to ldd is ELF, just do this sort of thing: $ od -c /usr/bin/grep | head -1 000 177 E L F 001 001 001 \0 \0 \0 \0 \0 \0 \0 \0 \0 Because ELF binaries ident themselves $ man elf ELF(5)OpenBSD Programmer's Manual ELF(5) NAME elf - format of ELF executable binary files SYNOPSIS #include elf_abi.h DESCRIPTION The header file elf_abi.h defines the format of ELF executable binary files. Amongst these files are normal executable files, relocatable ob- ject files, core files and shared libraries. etc. Jack Woehr wrote: McKown, John wrote: This is a scary article. I don't have a Linux on z system to test it out on. http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Oh, jeez, guys. This is a kid's trick. The victim has to be stupid enough to execute ldd against a binary in the scamming user's write permission domain. And it doesn't run as root when it runs, just as the moron who executed this idiotic command, ldd ~jwoehr/hacks/bogus_binary ? Keep users who would do such things out of shell access. Let 'em use the web interface you provide them instead, it's safer that way. -- Jack J. Woehr# «'I know what it means well enough, when I find http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jack Woehr wrote: ? Keep users who would do such things out of shell access. Let 'em use the web interface you provide them instead, it's safer that way. What he says. This boils down to niener niener - you think you aren't executing my code but you are! I'd hope that any half competent sys admin, when faced with a hey could you run ldd on this for me request, would come back with Didn't it work for you? Let me come over to your desk and look at your shell session. I mean, even in the case of a completely honest request, the appropriate response is to fix the issue the user is having. - -- Pat -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrlzrMACgkQNObCqA8uBswq9ACff1FBkagffXzUdEzs/56d7gu/ vAgAn1cNsoy5LmQbAkJHBhmL6lU4b5uV =Pnh/ -END PGP SIGNATURE- -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
-Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Jack Woehr Sent: Monday, October 26, 2009 11:06 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: ldd arbitrary code execution - good coders code, great reuse McKown, John wrote: This is a scary article. I don't have a Linux on z system to test it out on. http://www.catonmat.net/blog/ldd-arbitrary-code-execution/ Oh, jeez, guys. This is a kid's trick. The victim has to be stupid enough to execute ldd against a binary in the scamming user's write permission domain. And it doesn't run as root when it runs, just as the moron who executed this idiotic command, ldd ~jwoehr/hacks/bogus_binary ? Keep users who would do such things out of shell access. Let 'em use the web interface you provide them instead, it's safer that way. -- Jack J. Woehr# 'I know what it means well Problem is, I've known such. And, to be brutally honest, I could have been caught myself simply due to ignorance about how/what ldd works. I'm z/OS internals oriented, not Linux internals. So well known Linux/UNIX hacks like this could be run against me. Likely what I need is to take some good (expensive?) courses as I have in my years with z/OS and predecessors. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * (817)-961-6183 cell john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
McKown, John wrote: Problem is, I've known such. And, to be brutally honest, I could have been caught myself simply due to ignorance about how/what ldd works. Of course. Everyone does once. Some how the Unix world survives. Like you guys somehow survived with your indescribably lame password system on VM :) Stuff happens. You fix it and go on. I'm z/OS internals oriented, not Linux internals. So well known Linux/UNIX hacks like this could be run against me. Yes. They could. Which is why Real Unix Users don't log on as root and mostly use sudo to execute well-thought-out commands. If you can't learn to partition your world thusly, and back up regularly, you really shouldn't use Unix. -- Jack J. Woehr# «'I know what it means well enough, when I find http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
McKown, John wrote: Problem is, I've known such. And, to be brutally honest, I could have been caught myself simply due to ignorance about how/what ldd works. There are more subtle attacks on Linux integrity. In any case, chmod 700 ldd if ldd is too powerful w/r/t the sophistication of your user crowd. Examine chroot also for user accounts and use it to provide a select subset of user commands to the novices. -- Jack J. Woehr# «'I know what it means well enough, when I find http://www.well.com/~jax # a thing,' said the Duck: 'it's generally a frog or http://www.softwoehr.com # a worm.'» - Lewis Carroll, _Alice in Wonderland_ -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
-Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of Jack Woehr Sent: Monday, October 26, 2009 11:38 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: ldd arbitrary code execution - good coders code, great reuse snip Yes. They could. Which is why Real Unix Users don't log on as root and mostly use sudo to execute well-thought-out commands. If you can't learn to partition your world thusly, and back up regularly, you really shouldn't use Unix. -- Jack J. Woehr# 'I know what it means well That is exactly how I do it. I sudo to do any work that needs UID(0). And my id is nothing special other than having sudo priviliges. I learned that very fast. If you run as root normally, you might as well use Windows! grin -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * (817)-961-6183 cell john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: ldd arbitrary code execution - good coders code, great reuse
Mark Post wrote: On 10/26/2009 at 11:46 AM, McKown, John john.mck...@healthmarkets.com wrote: This is a scary article. I don't have a Linux on z system to test it out on. Even if you did, it wouldn't help. Looks like uClibc doesn't know about s390[x] as a build target. I'm not going to spend the time enlightening it, so I have no way to test either. (Unless someone out there has done it already, or knows of another loader that will build.) The problem described isn't actually related to glibc, but rather to how ldd is implemented ! The problem is completely architecture independent. The exploit indicated in the 'catonmat' article (which probably only got this much attention because it was relayed on /.) is convoluted and bizarre (modifying uClibc ELF dynamic loader and creating a module that uses that loader - that bypasses the 'TRACE_LOADED_OBJECTS' env variable). The actual problem can be demonstrated in a way simpler manner (single liner !): echo 'main(){system(rm -rf /);}' a.c ; gcc -static -static-libgcc -Wl,-static a.c -o al ; gcc -Wl,-dynamic-linker=$(pwd)/al a.c -o a Then ask your admin to log in as root and ldd for ./a... all files are now gone ! (please do NOT... - I *repeat* - Do *NOT* try this at home !) Note that this is eventually completely unrelated to the z/Architecture port of the Linux kernel or GNU/Linux distributions running on z/Architecture implementations. ReNote that, according to searches, this exploit (or rather flawed as designed issue) has been known to exist for around 10+ years, so well known that the caveat is also actually indicated in ldd's man page! --Ivan -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 smime.p7s Description: S/MIME Cryptographic Signature