Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arbitrary Code Execution With "ldd"

Posted by kdawson on from the so-easy dept.

pkrumins writes "The ldd utility is more vulnerable than you think. It's frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong! It turns out that running ldd on an executable can result in executing arbitrary code. This article details how such executable can be constructed and comes up with a social engineering scenario that may lead to system compromise. I researched this subject thoroughly and found that it's almost completely undocumented."

21 of 184 comments (clear)

  1. Re:ldd pwned by postbigbang · · Score: 5, Funny

    Uh, hello? Tech support?

    You want me to do what with ldd?

    Are you the same guy that told me to rm *? That wasn't funny....

    --
    ---- Teach Peace. It's Cheaper Than War.
  2. Another WIN in WINdows by MyLongNickName · · Score: 5, Funny

    In Windows, we avoid this vulnerability by giving you absolutely no fricking clue what dependencies exist for any given DLL. Suck that Unix fanboys!

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    1. Re:Another WIN in WINdows by Fizzl · · Score: 4, Informative

      http://www.dependencywalker.com/

      --
      Bot Assisted Blogging
    2. Re:Another WIN in WINdows by MyLongNickName · · Score: 4, Informative

      Yup. I've used it. It is a very useful tool. Note that this is not something built into Windows.

      --
      See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
    3. Re:Another WIN in WINdows by joebp · · Score: 4, Informative

      depends.exe does exactly this and ships with the platform sdk.

    4. Re:Another WIN in WINdows by Tetsujin · · Score: 4, Insightful

      Also note that Dependency Walker itself might as well be arbitrary code since I can't read its source code.

      I've had the full source code for "ldd" on my linux box for the past thirteen years... What good has that done in this case?

      --
      Bow-ties are cool.
    5. Re:Another WIN in WINdows by robogymnast · · Score: 4, Insightful

      I've had the full source code for "ldd" on my linux box for the past thirteen years... What good has that done in this case?

      The good that it has done is that the author of this article DID have access to the source, analyzed it, found a vulnerability and now you, me or anyone else can (and no doubt will) patch it. The point of the source being available isn't that you personally need to look through every line of code that your system executes, but rather that it is made available to anyone to analyze for security, efficiency, correctness, etc. instead of being locked up in a vault somewhere.

      --
      unzip ; strip ; touch ; grep ; find ; finger ; mount ; fsck ; more ; yes ; fsck ; umount ; sleep
  3. Re:ldd pwned by Skapare · · Score: 4, Insightful

    It's the dynamic loader that knows how to interpret that executable format's list of libraries it depends on. What "ldd" does is just trigger the dynamic loader to output the libraries instead of run the program. The weakness is that an alternate dynamic loader might not do that and will just run the program anyway. Possible fixes include a new "ldd" that parses the executable itself instead of trying to get the dynamic loader to do it, or a means to restrict what dynamic loaders can be used (to just the ones that play well with "ldd").

    --
    now we need to go OSS in diesel cars
  4. Thorough research by Mortice · · Score: 5, Insightful

    'I researched this subject thoroughly and found that it's almost completely undocumented'.

    Did the thorough research include a Google search for 'ldd security'?

    My thorough (3 minute research) turned up this tidbit from TLDP:

    Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute.

    1. Re:Thorough research by marcansoft · · Score: 4, Interesting

      One wonders why no one thought to add that to the manpage.

  5. Nasty by FranTaylor · · Score: 4, Interesting

    This is really nasty.

    Even running the binary as nobody may get you into trouble if you are running under X because the rogue code can talk to your X server.

    And of course the rogue code could print out its own prompt and fool you into thinking that you are typing at the shell. In this case you get owned when you type su and subsequently type your root password into the rogue code. You'd have to carefully inspect your running processes to not get fooled by this trick.

    Maybe the answer is for ldd to use a sandbox.

  6. Specific to Linux? by alcourt · · Score: 4, Insightful

    It'd be nice if the author made it more clear what OS this is claimed to apply to. For example, Solaris 10 has /usr/bin/ldd as an ELF. I don't have my HP-UX or AIX test systems handy, nevermind recent releases of RHEL.

    Also, what efforts has the coder gone to in order to notify the appropriate security groups so that a fix can be produced quickly? I'm not disputing the potential security issues, but there is a reason for first disclosing to a vendor on non-public channels. Give the vendor/coder the chance to do the right thing and produce a fix.

    --
    "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
  7. The bug is not in the dynamic loader by Skapare · · Score: 5, Insightful

    Actually, no. The bug is NOT in the dynamic loader. In particular, when the exploiting executable specifies a different dynamic loader in the binary interpreter field, then the system dynamic loader is not even involved.

    RTFA again. The exploit involves using a different dynamic loader. The evil person has made a fake loader that does the evil deed. That's NOT a bug, since it does what he (the evil person) wanted.

    The bug is ... at least partly ... in the /usr/bin/ldd script. The real source of the bug is in the thinking that every dynamic loader would do this and that no dynamic loader that failed to would ever be used. That's saying that the design of doing it this way is what is buggy.

    There are some possible fixes. One fix is to make a program to replace /usr/bin/ldd that understand by itself how to parse and interpret all executables. That might be done best via a new flag on the dynamic linker or dynamic loader programs. This needs to work for all executable formats the system might need to work with. Another fix is to provide for a list of allowed (trusted) dynamic loaders that would be enforced most likely by the kernel. That list could be managed via a /proc entry that can only be written/appended to by root (and uses a built-in list prepared when the kernel was compiled, whenever that /proc entry list is empty).

    --
    now we need to go OSS in diesel cars
  8. New Lingo by Thunderstruck · · Score: 4, Insightful

    I researched this subject thoroughly and found that it's almost completely undocumented.'

    Is this the new way to say "I checked it out and it's legit!"

    --
    Trying to use sarcasm in text-based forums does not work.
  9. Remember to Exit Stage Left by HaloZero · · Score: 5, Funny

    I researched this subject thoroughly and found that it's almost completely undocumented.

    Completely undocumented... <CARUSO NAME="david" STYLE="csi/miami" SHADES="true"> ...until now. </CARUSO>

    YEAAAAAAAAAH!

    --
    Informatus Technologicus
  10. Other dirty tricks by sjames · · Score: 4, Interesting

    If an ELF binary doesn't have execute permissions and you can't just set them, /lib/ld*.so will run it anyway.

    Some security hacks work by making the exec syscall return an error. A sufficiently clever binary can just map ld.so and the app into itself and effectively execute anyway. Of course this won't honor setuid but it also won't remove capabilities that have been marked not permitted for the target binary.

  11. Re:the bug is not in ldd by evanbd · · Score: 4, Insightful

    How many programs on your system do you *fully* understand? How certain are you about that?

  12. Re:Cool and so what by the+99th+penguin · · Score: 4, Funny

    times like this, I just want to be able to say:
    sandbox $whatever_command
    and have it run in a completely safe environment.
    [...] Or does such a thing exist?

    A virtual machine you mean?

  13. 1985 called, they want their exploit back by uslinux.net · · Score: 4, Insightful

    http://web.archive.org/web/20050211210119/http://reverse.lostrealm.com/protect/ldd.html

  14. Re:the bug is not in ldd by bsDaemon · · Score: 5, Funny

    I pretty much only code in Perl these days, so... not even the ones I've written myself, I guess.

  15. Re:the bug is not in ldd by marcansoft · · Score: 4, Informative

    The bug is that ldd is trying to do the impossible: list dynamic dependencies for executables that it doesn't understand (more precisely: executables that don't use glibc and/or the standard linking mechanisms). The catch is that glibc's implementation offloads this task onto the dynamic linker, and whoever wrote ldd thought the rest of the world would be nice and follow ld-linux's environment variable convention with their dynamic loaders. And, of course, this completely violates the assumption that ldd treats its argument as data, and will not run code from it.

    What ldd needs to do is realize that trying to be generic is futile, and either a) check for ld-linux and bail if otherwise, or b) become a real C app (using libbfd?) that can inspect the executable as data, which might gain it compatibility with other loaders if they follow the same ELF ABI for dependency specification. And under no circumstances actually call out to any untrusted code or libraries to do this.