LD_PRELOAD attack

Peter Pentchev roam at ringlet.net
Wed Jun 11 22:55:18 CEST 2008 

On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote:
> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> 
> > If the attacker had access to your machine to implement the LD_PRELOAD
> > attack, there are literally dozens of ways they can similarly steal
> > whatever data they are trying to steal.  Why do a very complex attack
> > involving replacing libraries when they could just replace the GPG
> > binary itself?
> 
> Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't.
> 
> >  Or add a shell script named 'gpg' and put it in your
> > search path ahead of the real gpg?
> 
> Again,  root.

Nope.  None of these is true.  If an attacker has access to *your*
account, he has perfectly good access to your shell startup files,
and he is perfectly capable of changing your PATH to include
a directory of his choosing where he may place any binaries he
wants to - and your shell will happily execute them instead of
the real system binaries.

Or maybe you are in the habit of auditing your .*shrc and .*sh_profile
files after each and every login?  And then auditing the pager or
editor that you audited them with?  If so, my hat's off to you, Sir,
but this is a level of paranoia that I'm not quire comfortable with :)

> > Or turn on typescript by default.
> 
> Doesn't save GPG passphrases.

True.

> > Or load a kernel module that changes the meaning of system calls.  Or
> > replace the rng with one that isn't random.  Or, or, or.
> 
> 
> Root, root, root.

This, too, is true.

> Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access
> to the box. The attacker just need access to the user's account.

True, too, except that an attacker with access to your account really
does have at least seven ways (that pop up in my mind without even
thinking too hard) of replacing the gpg or pinentry or whatever
binaries without you noticing *at once*.

G'luck,
Peter

-- 
Peter Pentchev	roam at ringlet.net    roam at cnsys.bg    roam at FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
I am the thought you are now thinking.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: </pipermail/attachments/20080611/136635e2/attachment.pgp>

More information about the Gnupg-users mailing list