Arbitrary Code Execution With "ldd"

pkrumins writes "The ldd utility is more vulnerable than you think. It's frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong! It turns out that running ldd on an executable can result in executing arbitrary code. This article details how such executable can be constructed and comes up with a social engineering scenario that may lead to system compromise. I researched this subject thoroughly and found that it's almost completely undocumented."

Nasty

[FranTaylor]

This is really nasty.

Even running the binary as nobody may get you into trouble if you are running under X because the rogue code can talk to your X server.

And of course the rogue code could print out its own prompt and fool you into thinking that you are typing at the shell. In this case you get owned when you type su and subsequently type your root password into the rogue code. You'd have to carefully inspect your running processes to not get fooled by this trick.

Maybe the answer is for ldd to use a sandbox.

Other dirty tricks

[sjames]

If an ELF binary doesn't have execute permissions and you can't just set them, /lib/ld*.so will run it anyway.

Some security hacks work by making the exec syscall return an error. A sufficiently clever binary can just map ld.so and the app into itself and effectively execute anyway. Of course this won't honor setuid but it also won't remove capabilities that have been marked not permitted for the target binary.

Re:Thorough research

[marcansoft]

One wonders why no one thought to add that to the manpage.