Arbitrary Code Execution With "ldd"

pkrumins writes "The ldd utility is more vulnerable than you think. It's frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong! It turns out that running ldd on an executable can result in executing arbitrary code. This article details how such executable can be constructed and comes up with a social engineering scenario that may lead to system compromise. I researched this subject thoroughly and found that it's almost completely undocumented."

Re:ldd pwned

[postbigbang]

Uh, hello? Tech support?

You want me to do what with ldd?

Are you the same guy that told me to rm *? That wasn't funny....

the bug is not in ldd

[FranTaylor]

If you had read the article closely you would understand that the bug is not in ldd, it is in the dynamic loader.

Re:the bug is not in ldd

So our lesson here is... don't run any scripts we don't fully understand as root. Thanks Slashdot - I feel so informed today!

Re:the bug is not in ldd

[Timothy+Brownawell]

If you had read the article closely you would understand that the bug is not in ldd, it is in the dynamic loader.

The bug is that ldd executes the dynamic loader, which is specified by the executable being inspected. So if the executable claims to use ~/bin/evil.so as a loader instead of the standard /lib/ld-linux.so, then ldd will execute ~/bin/evil.so.

Re:the bug is not in ldd

[evanbd]

How many programs on your system do you *fully* understand? How certain are you about that?

Re:the bug is not in ldd

[bsDaemon]

I pretty much only code in Perl these days, so... not even the ones I've written myself, I guess.

Re:the bug is not in ldd

[marcansoft]

The bug is that ldd is trying to do the impossible: list dynamic dependencies for executables that it doesn't understand (more precisely: executables that don't use glibc and/or the standard linking mechanisms). The catch is that glibc's implementation offloads this task onto the dynamic linker, and whoever wrote ldd thought the rest of the world would be nice and follow ld-linux's environment variable convention with their dynamic loaders. And, of course, this completely violates the assumption that ldd treats its argument as data, and will not run code from it.

What ldd needs to do is realize that trying to be generic is futile, and either a) check for ld-linux and bail if otherwise, or b) become a real C app (using libbfd?) that can inspect the executable as data, which might gain it compatibility with other loaders if they follow the same ELF ABI for dependency specification. And under no circumstances actually call out to any untrusted code or libraries to do this.

Another WIN in WINdows

[MyLongNickName]

In Windows, we avoid this vulnerability by giving you absolutely no fricking clue what dependencies exist for any given DLL. Suck that Unix fanboys!

Re:Another WIN in WINdows

[Fizzl]

http://www.dependencywalker.com/

Re:Another WIN in WINdows

[MyLongNickName]

Yup. I've used it. It is a very useful tool. Note that this is not something built into Windows.

Re:Another WIN in WINdows

[joebp]

depends.exe does exactly this and ships with the platform sdk.

Re:Another WIN in WINdows

[onefriedrice]

Also note that Dependency Walker itself might as well be arbitrary code since I can't read its source code.

Re:Another WIN in WINdows

[Tetsujin]

Also note that Dependency Walker itself might as well be arbitrary code since I can't read its source code.

I've had the full source code for "ldd" on my linux box for the past thirteen years... What good has that done in this case?

Re:Another WIN in WINdows

[robogymnast]

I've had the full source code for "ldd" on my linux box for the past thirteen years... What good has that done in this case?

The good that it has done is that the author of this article DID have access to the source, analyzed it, found a vulnerability and now you, me or anyone else can (and no doubt will) patch it. The point of the source being available isn't that you personally need to look through every line of code that your system executes, but rather that it is made available to anyone to analyze for security, efficiency, correctness, etc. instead of being locked up in a vault somewhere.

Re:ldd pwned

[Skapare]

It's the dynamic loader that knows how to interpret that executable format's list of libraries it depends on. What "ldd" does is just trigger the dynamic loader to output the libraries instead of run the program. The weakness is that an alternate dynamic loader might not do that and will just run the program anyway. Possible fixes include a new "ldd" that parses the executable itself instead of trying to get the dynamic loader to do it, or a means to restrict what dynamic loaders can be used (to just the ones that play well with "ldd").

Thorough research

[Mortice]

'I researched this subject thoroughly and found that it's almost completely undocumented'.

Did the thorough research include a Google search for 'ldd security'?

My thorough (3 minute research) turned up this tidbit from TLDP:

Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute.

Re:Thorough research

[marcansoft]

One wonders why no one thought to add that to the manpage.

Re:Thorough research

[pkrumins]

What I mean is that I found only 3 or 4 references to this problem on the whole Internet. If that doesn't mean *almost completely undocumented* then I don't know what does.

Cool and so what

[nweaver]

On one hand that is a cool little hack. But on the other hand, so what? How many cases occur where even with social engineering will someone run ldd but not run the executable? E.g. In the example most sysadmins would run the program itself anyway

Re:Cool and so what

[Lord+Bitman]

times like this, I just want to be able to say:
  sandbox $whatever_command
and have it run in a completely safe environment.
We have usermode linux, how hard would it be to have such a thing self-contained and operating in a read-from-real-filesystem,write-to-virtual-filesystem,--disable-all,--enable-fake-internet, manner?

Or does such a thing exist? Security for examining someone else's arbitrary commands doesn't seem like it should be an unsolved problem

Re:Cool and so what

[the+99th+penguin]

times like this, I just want to be able to say:
sandbox $whatever_command
and have it run in a completely safe environment.
[...] Or does such a thing exist?

A virtual machine you mean?

Nasty

[FranTaylor]

This is really nasty.

Even running the binary as nobody may get you into trouble if you are running under X because the rogue code can talk to your X server.

And of course the rogue code could print out its own prompt and fool you into thinking that you are typing at the shell. In this case you get owned when you type su and subsequently type your root password into the rogue code. You'd have to carefully inspect your running processes to not get fooled by this trick.

Maybe the answer is for ldd to use a sandbox.

Specific to Linux?

[alcourt]

It'd be nice if the author made it more clear what OS this is claimed to apply to. For example, Solaris 10 has /usr/bin/ldd as an ELF. I don't have my HP-UX or AIX test systems handy, nevermind recent releases of RHEL.

Also, what efforts has the coder gone to in order to notify the appropriate security groups so that a fix can be produced quickly? I'm not disputing the potential security issues, but there is a reason for first disclosing to a vendor on non-public channels. Give the vendor/coder the chance to do the right thing and produce a fix.

The bug is not in the dynamic loader

[Skapare]

Actually, no. The bug is NOT in the dynamic loader. In particular, when the exploiting executable specifies a different dynamic loader in the binary interpreter field, then the system dynamic loader is not even involved.

RTFA again. The exploit involves using a different dynamic loader. The evil person has made a fake loader that does the evil deed. That's NOT a bug, since it does what he (the evil person) wanted.

The bug is ... at least partly ... in the /usr/bin/ldd script. The real source of the bug is in the thinking that every dynamic loader would do this and that no dynamic loader that failed to would ever be used. That's saying that the design of doing it this way is what is buggy.

There are some possible fixes. One fix is to make a program to replace /usr/bin/ldd that understand by itself how to parse and interpret all executables. That might be done best via a new flag on the dynamic linker or dynamic loader programs. This needs to work for all executable formats the system might need to work with. Another fix is to provide for a list of allowed (trusted) dynamic loaders that would be enforced most likely by the kernel. That list could be managed via a /proc entry that can only be written/appended to by root (and uses a built-in list prepared when the kernel was compiled, whenever that /proc entry list is empty).

New Lingo

[Thunderstruck]

I researched this subject thoroughly and found that it's almost completely undocumented.'

Is this the new way to say "I checked it out and it's legit!"

Remember to Exit Stage Left

[HaloZero]

I researched this subject thoroughly and found that it's almost completely undocumented.

Completely undocumented... <CARUSO NAME="david" STYLE="csi/miami" SHADES="true"> ...until now. </CARUSO>

YEAAAAAAAAAH!

Other dirty tricks

[sjames]

If an ELF binary doesn't have execute permissions and you can't just set them, /lib/ld*.so will run it anyway.

Some security hacks work by making the exec syscall return an error. A sufficiently clever binary can just map ld.so and the app into itself and effectively execute anyway. Of course this won't honor setuid but it also won't remove capabilities that have been marked not permitted for the target binary.

Re:And the point is...

I think (hope) that he meant, "I use sudo for things that need root, so I don't wind up running things that don't (like ldd) as root."

Re:User can choose to run arbitrary code...

[AndrewNeo]

It's not quite the same thing. Since the binary you're looking at has to have this exploit in it, your example might as well just run `dancing_bunnies` in the first place. The reason this is an issue is because it will run while doing `ldd dancing_bunnies` where you would expect ldd not to run any arbitrary code.

1985 called, they want their exploit back

[uslinux.net]

http://web.archive.org/web/20050211210119/http://reverse.lostrealm.com/protect/ldd.html

Rename it!

[mweather]

They should rename it iddqd in honour of this new feature.

Documented in ldd(1) and Program Library HOWTO

[dwheeler]

This is documented, and in multiple places. My Program Library HOWTO, section "Shared Libraries", says the following, and it's dated in 2000: "Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute." Now I'd agree that it would better if ldd were changed to NOT do this. If the result of this article is a change in its code to not do this, that would be a great result. But it's simply not true that this is undocumented.