Jump to content
Nytro

Breaking the links: Exploiting the linker

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Breaking the links: Exploiting the linker

Abstract

The recent discussion relating to insecure library loading on the Microsoft Windows platform

provoked a signicant amount of debate as to whether GNU/Linux and UNIX variants could

be vulnerable to similar attacks. Whilst the general consensus of the Slashdot herd appeared

to be that this was just another example of Microsoft doing things wrong, I felt this was unfair

and responded with a blog post[1] that sought to highlight an example of where POSIX style

linkers get things wrong. Based on the feedback I received to that post, I decided to investigate

the issue a little further. This paper is an amalgamation of what I learnt. As such it contains

my own research, the discoveries of others and POSIX lore.

Contents
1 Technical Details 2
1.1 What is the linker? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.1 The link editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 The runtime linker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 The linker attack surface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 The process of linking and executing . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.2 Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.3 Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.4 issetugid() and friends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Real world exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.1 The runtime linker as an interpreter . . . . . . . . . . . . . . . . . . . . . . . 6
1.3.2 The empty library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3.3 SIGSEGV'ing for 12 years . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3.4 What's in your RPATH? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3.5 Debian makes me sad  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.3.6 If an environment variables is set but you don't trust it, is it still there? . . . 11
1.3.7 Re
ections on Trusting Trust revisited . . . . . . . . . . . . . . . . . . . . . . 12
1.3.8 Mapping NULL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4 Auditing scripts, binaries and source . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.1 Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.2 Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4.3 Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.5 Further research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5.1 Other linkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2 Changes 14

BTL.pdf (2547 downloads)

© Tim Brown

License: n/a

Paper on exploiting linkers

Download BTL.pdf

Sursa: Nth Dimension/downloads:: Negatively discriminating against idiots since 1995!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...