Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 15 May 2017 15:13:16 -0400
From:      Shawn Webb <shawn.webb@hardenedbsd.org>
To:        Ian Lepore <ian@freebsd.org>
Cc:        Konstantin Belousov <kostikbel@gmail.com>, Alexey Dokuchaev <danfe@FreeBSD.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org
Subject:   Re: svn commit: r318313 - head/libexec/rtld-elf
Message-ID:  <20170515191316.jjtxiynrh3jvo5sz@mutt-hbsd>
In-Reply-To: <1494875335.59865.118.camel@freebsd.org>
References:  <201705151848.v4FImwMW070221@repo.freebsd.org> <20170515185236.GB1637@FreeBSD.org> <20170515190030.GG1622@kib.kiev.ua> <1494875335.59865.118.camel@freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help

--5io3g6j2hynitzvc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 15, 2017 at 01:08:55PM -0600, Ian Lepore wrote:
> On Mon, 2017-05-15 at 22:00 +0300, Konstantin Belousov wrote:
> > On Mon, May 15, 2017 at 06:52:36PM +0000, Alexey Dokuchaev wrote:
> > >=20
> > > On Mon, May 15, 2017 at 06:48:58PM +0000, Konstantin Belousov
> > > wrote:
> > > >=20
> > > > New Revision: 318313
> > > > URL: https://svnweb.freebsd.org/changeset/base/318313
> > > >=20
> > > > Log:
> > > > ? Make ld-elf.so.1 directly executable.
> > > Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod
> > > +x
> > > /bin/chmod would now be possible on FreeBSD as well?
> > Yes.
> >=20
> > >=20
> > > Does this have any security implications?
> > What do you mean ?
> >=20
>=20
> Well, for example, it seems like it would allow anyone to execute a
> binary even if the sysadmin had set it to -x specifically to prevent
> people from running it.

It additionally subverts application whitelisting schemes where all
dependent shared objects (even the rtld) are checked (such is the case
with Integriforce in HardenedBSD).

Since even the rtld is checked, an attacker can now bypass the
application whitelisting scheme by running: /libexec/ld-elf.so.1
/path/to/previously/disallowed/executable

Thanks,

--=20
Shawn Webb
Cofounder and Security Engineer
HardenedBSD

GPG Key ID:          0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89  3D9E 6A84 658F 5245 6EEE

--5io3g6j2hynitzvc
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKrq2ve9q9Ia+iT2eaoRlj1JFbu4FAlkZ/ckACgkQaoRlj1JF
bu5B2w/+IwXqXEF1TEazfzGVK6C4+f9WoK12qRISJlVF7hGVFQ1Sk0Hbac4P3Mb0
+5WXXb4XFzYLCk8bXWUgO0rJdyVKmkeRQhQ0dREXUoSBOPZDbVk3/rTprlwiv3I5
dj2m3b012zcW7D3py3P/LwVztsw6WQ4EaIkgnYax4QT0YdOJP0vwRmVCHPegro47
F2Aw0zuAKY+Cjau7y/Act8aEZ7Vu5yaOeruKtJi7HaLCugq5JXd0zWuiwVZhZhaT
NkOx0Rl+fEyZK8LuZ3v9yWCzjV4FmdYHB54ZzpNwCgIl6+a3LKgfV1DP36/CKacg
TsGmSbv8vSDBIBJCq1lH/l+EWJb5qq+pk56bcbFEQs3bagtieD/yrrarM6hGIZir
l2qJOAX7uRhR0uH7eofN6nKd5Sjdm6KymcBER6XLNBAciNsTK/VsAihtf7akD4w0
JX8OGBgBye+lBaAfk6f2swB8eUmwsdG+asX6brevF1Jh4L/M7QeJbYxVMV/1/L9/
NBBaKgDGPyyQYrfQQpu5heaZ7+ec/TdUaeV61+vJ8sKNCCyGJh/MoJGVAwjmgUaj
1mNvmv9CGSyk9nuoQXj/KkpWIa2F/SDHu2toO2wvgJmoP61tDC1yARCnL91aPDrE
5jEKCR3mMfjhfYwQuBuusBAsGHyuZslJFirXsPCrmynBPzZI4XI=
=ipty
-----END PGP SIGNATURE-----

--5io3g6j2hynitzvc--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170515191316.jjtxiynrh3jvo5sz>