Breaking the links: Exploiting the linker

[Nytro]

Breaking the links: Exploiting the linker

Abstract

The recent discussion relating to insecure library loading on the Microsoft Windows platform

provoked a signicant amount of debate as to whether GNU/Linux and UNIX variants could

be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared

to be that this was just another example of Microsoft doing things wrong, I felt this was unfair

and responded with a blog post[1] that sought to highlight an example of where POSIX style

linkers get things wrong. Based on the feedback I received to that post, I decided to investigate

the issue a little further. This paper is an amalgamation of what I learnt. As such it contains

my own research, the discoveries of others and POSIX lore.

Contents
1 Technical Details 2
1.1 What is the linker? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 The link editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 The runtime linker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 The linker attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 The process of linking and executing . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.2 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.3 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.4 issetugid() and friends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Real world exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.1 The runtime linker as an interpreter . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2 The empty library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.3 SIGSEGV'ing for 12 years . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.4 What's in your RPATH? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.5 Debian makes me sad  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.6 If an environment variables is set but you don't trust it, is it still there? . . . 11
1.3.7 Re
ections on Trusting Trust revisited . . . . . . . . . . . . . . . . . . . . . . 12
1.3.8 Mapping NULL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 Auditing scripts, binaries and source . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.1 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.2 Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.3 Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5.1 Other linkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2 Changes 14

BTL.pdf (2547 downloads)

© Tim Brown

License: n/a

Paper on exploiting linkers

Download BTL.pdf

Sursa: Nth Dimension/downloads:: Negatively discriminating against idiots since 1995!