Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 22 Dec 2010 11:46:41 +0000 (UTC)
From: Jamie Nguyen <dyscoria@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Breaking the links: Exploiting the linker

Tim Brown <timb@...> writes:

> 
> In the interests of a thorough peer review I'd be curious what people think of 
> the following paper I've been working on Linux and POSIX linkers:
> 
> http://www.nth-dimension.org.uk/downloads.php?id=77
> 
> A previous revision has already been reviewed but constructive criticism is 
> always useful.  There are some sections that I have removed whilst I wait on  
> vendors but I'm particularly interested in feedback on pertinent references or 
> threats that I may have missed.  As per the abstract, the aim of the paper 
> wasn't to claim everything as my own but rather to document as much about the 
> current state of art as possible.
> 
> Tim

Hi,

I am somewhat unknowledgeable about the whole linking process, but I was testing 
out the execution of a file using ld on a filesystem mounted with noexec. I 
followed the example you gave of copying the '/usr/bin/id' executable to a user 
writeable directory and removing the executable bit.

After removing the executable bit, I was still able to execute this on a normal 
filesystem using /lib/ld-linux-x86_64.so.2 but on a filesystem mounted with 
noexec this method did not work.

You suggest in the article:

"...if you're mounting devices with noexec the you should probably ensure that 
they [sic] the runtime linker can't be executed either."

Forgive me if I am being dim, because from what I can see, mounting with noexec 
seems to solve the issue of using ld-linux-x86-64.so.2 to execute non-executable 
files.

I notice in your example that you are using eglibc. I am testing with glibc, so 
perhaps this is the reason?


Kind regards

Jamie

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.