[ http://seclists.org/fulldisclosure/2010/Oct/257 ]
===== The GNU C library dynamic linker expands $ORIGIN in setuid library search path From: Tavis Ormandy <taviso () cmpxchg8b com> Date: Mon, 18 Oct 2010 12:17:25 +0200 The GNU C library dynamic linker expands $ORIGIN in setuid library search path ------------------------------------------------------------------------------ Gruezi, This is CVE-2010-3847. The dynamic linker (or dynamic loader) is responsible for the runtime linking of dynamically linked programs. ld.so operates in two security modes, a permissive mode that allows a high degree of control over the load operation, and a secure mode (libc_enable_secure) intended to prevent users from interfering with the loading of privileged executables. $ORIGIN is an ELF substitution sequence representing the location of the executable being loaded in the filesystem hierarchy. The intention is to allow executables to specify a search path for libraries that is relative to their location, to simplify packaging without spamming the standard search paths with single-use libraries. [...] The ELF specification suggests that $ORIGIN be ignored for SUID and SGID binaries, http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html#substitution "For security, the dynamic linker does not allow use of $ORIGIN substitution sequences for set-user and set-group ID programs. For such sequences that appear within strings specified by DT_RUNPATH dynamic array entries, the specific search path containing the $ORIGIN sequence is ignored (though other search paths in the same string are processed). $ORIGIN sequences within a DT_NEEDED entry or path passed as a parameter to dlopen() are treated as errors. The same restrictions may be applied to processes that have more than minimal privileges on systems with installed extended security mechanisms." However, glibc ignores this recommendation. The attack the ELF designers were likely concerned about is users creating hardlinks to suid executables in directories they control and then executing them, thus controlling the expansion of $ORIGIN. [...] ===== -- Soh Kam Yung my Google Reader Shared links: (http://www.google.com/reader/shared/16851815156817689753) my Google Reader Shared SFAS links: (http://www.google.com/reader/shared/user/16851815156817689753/label/sfas) _______________________________________________ LUGS Mailing list - [email protected] List FAQ: http://wiki.lugs.org.sg/LugsMailingListFaq Info page: http://www.lugs.org.sg/mailman/listinfo/slugnet To unsubscribe send an empty email to: [email protected]
