Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arbitrary Code Execution With "ldd"

Posted by kdawson on from the so-easy dept.

pkrumins writes "The ldd utility is more vulnerable than you think. It's frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong! It turns out that running ldd on an executable can result in executing arbitrary code. This article details how such executable can be constructed and comes up with a social engineering scenario that may lead to system compromise. I researched this subject thoroughly and found that it's almost completely undocumented."

6 of 184 comments (clear)

  1. Re:ldd pwned by postbigbang · · Score: 5, Funny

    Uh, hello? Tech support?

    You want me to do what with ldd?

    Are you the same guy that told me to rm *? That wasn't funny....

    --
    ---- Teach Peace. It's Cheaper Than War.
  2. Another WIN in WINdows by MyLongNickName · · Score: 5, Funny

    In Windows, we avoid this vulnerability by giving you absolutely no fricking clue what dependencies exist for any given DLL. Suck that Unix fanboys!

    --
    See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
  3. Thorough research by Mortice · · Score: 5, Insightful

    'I researched this subject thoroughly and found that it's almost completely undocumented'.

    Did the thorough research include a Google search for 'ldd security'?

    My thorough (3 minute research) turned up this tidbit from TLDP:

    Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute.

  4. The bug is not in the dynamic loader by Skapare · · Score: 5, Insightful

    Actually, no. The bug is NOT in the dynamic loader. In particular, when the exploiting executable specifies a different dynamic loader in the binary interpreter field, then the system dynamic loader is not even involved.

    RTFA again. The exploit involves using a different dynamic loader. The evil person has made a fake loader that does the evil deed. That's NOT a bug, since it does what he (the evil person) wanted.

    The bug is ... at least partly ... in the /usr/bin/ldd script. The real source of the bug is in the thinking that every dynamic loader would do this and that no dynamic loader that failed to would ever be used. That's saying that the design of doing it this way is what is buggy.

    There are some possible fixes. One fix is to make a program to replace /usr/bin/ldd that understand by itself how to parse and interpret all executables. That might be done best via a new flag on the dynamic linker or dynamic loader programs. This needs to work for all executable formats the system might need to work with. Another fix is to provide for a list of allowed (trusted) dynamic loaders that would be enforced most likely by the kernel. That list could be managed via a /proc entry that can only be written/appended to by root (and uses a built-in list prepared when the kernel was compiled, whenever that /proc entry list is empty).

    --
    now we need to go OSS in diesel cars
  5. Remember to Exit Stage Left by HaloZero · · Score: 5, Funny

    I researched this subject thoroughly and found that it's almost completely undocumented.

    Completely undocumented... <CARUSO NAME="david" STYLE="csi/miami" SHADES="true"> ...until now. </CARUSO>

    YEAAAAAAAAAH!

    --
    Informatus Technologicus
  6. Re:the bug is not in ldd by bsDaemon · · Score: 5, Funny

    I pretty much only code in Perl these days, so... not even the ones I've written myself, I guess.