Date: Tue, 23 Jul 2002 14:57:19 +0100 From: Lee Brotherston <lee@nerds.org.uk> To: hackers@freebsd.org Subject: LD_LIBRARY_PATH security checks Message-ID: <20020723135719.GA68246@nerds.org.uk>
next in thread | raw e-mail | index | archive | help
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
Something that has occured to me is something I precieve to be a
problem with the security features of LD_LIBRARY_PATH, and I was after
any (helpful) comments ;)
A couple of things mentioned in ldconfig(8):
"Special care must be taken when loading shared libraries into the
address space of set-user-Id programs. Whenever such a program is
run, the dynamic linker will only load shared libraries from the hints
file. In particular, the LD_LIBRARY_PATH is not used to search for
libraries."
This is not always the case, this does not appear to apply to root.
This may be me being perdantic, but I think that this should be
mentioned in the man pages if it is an intended feature.
"For security reasons, directories which are world or group-writable
or which are not owned by root produce warning messages and are
skipped, unless the -i option is present."
Now this actually with regards to using ldconfig not LD_LIBRARY_PATH,
but I think illustrates something that I think should be considered in
a minute...
Currently root can, by using LD_LIBRARY_PATH, use alternative
libraries which are not owned by root, are world writable, in a world
writable directory, for a setuid binary:
# echo $LD_LIBRARY_PATH
/var/tmp
# ldd /usr/bin/passwd
/usr/bin/passwd:
libcrypt.so.2 =3D> /var/tmp/libcrypt.so.2 (0x2806a000)
librpcsvc.so.2 =3D> /usr/lib/librpcsvc.so.2 (0x28083000)
libutil.so.3 =3D> /usr/lib/libutil.so.3 (0x2808b000)
libc.so.4 =3D> /usr/lib/libc.so.4 (0x28094000)
# ls -al /var/tmp/libcrypt.so.2=20
-rw-rw-rw- 1 nobody nobody 28588 Jul 23 14:31
/var/tmp/libcrypt.so.2
My reason for objecting to this is that I think this makes it too easy
to escalate privilages once a wheel account is compromised. By
placing alternative libraries in an existing LD_LIBRARY_PATH directory
(permissions permitting) or by adding one to the users profile and waiting
for them to su (from su(1) "By default, the environment is unmodified with
the exception of USER, HOME, and SHELL.") then they can execute code
which uses a malicious shared library without realising it.
You could argue that if a machine is compromised to this point already
an attacker could modify the PATH variable to similar ends, but I
think that this is less noticable to a novice admin (this feature
is not mentioned in the man pages) and could be avoided easily...
Is there any reason that when root loads libraries (particularly on
setuid applications) via LD_LIBRARY_PATH that the same checks be
applied that are used with ldconfig, that being ownership and
world/group writability?
I might we way off on this one, but I'd be interested to hear what
people have to say.
Thanks, and sorry for the long rambly mail ;)
Lee
--=20
Lee Brotherston - <lee@nerds.org.uk>
http://www.nerds.org.uk - "Use the source Luke"
--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)
iD8DBQE9PWC/0KIGoG3QeWwRAnTgAKCyflfJHmfBUpQD8hrf+feNmXfyqACdHVZ2
50z7YrDvVwIJzjImeCTjqN8=
=th2T
-----END PGP SIGNATURE-----
--FCuugMFkClbJLl1L--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020723135719.GA68246>