LD_PRELOAD attack

Alexander W. Janssen yalla at fsfe.org
Wed Jun 11 23:30:47 CEST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(forwarded this message)

michael graffam schrieb:
> It's easy to solve the problem: all you need is a trusted strcmp() (i.e
> one linked directly w/ main() )..
>
> Before you do anything else, main() checks the environment pointer with
> the trusted strcmp() to make sure LD_PRELOAD isn't present. If it is,
> bail with a message. Done.

Interesting approach, but even if the variable LD_PRELOAD is empty or
doesn't exist, the process running in a compromised shell still runs the
preloaded-lib. Even if you have a trusted strcmp(), it wouldn't change
the fact that the lib gets loaded anyway.

> An LD_PRELOADed lib wouldn't have a chance to get hooked.

Well, even if the env-var isn't there, it still get's loaded!

Alex.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQCVAwUBSFBEBRYlVVSQ3uFxAQLSagP+ONzt6GC+AVlgudwb+Agx6JeKKLC9teg8
cOPSRlDBXTWvH5qZakEOEy+9is6ALWRUA4N5soYiKnra1v9FiEDVqfFxqhsa2V5P
4TE/g+FxuR744zYAbJspJHH5zxxaSX35+epzTJ5I6+zmxLvWLFL+Eed9fmE5ljW/
kr0AjDcNKMI=
=Jbu1
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list