DLL hijacking on LinuxAug 24 2010 11:26PM Tim Brown (timb nth-dimension org uk) (1 replies)
All,
If you've seen the recent Microsoft advisory. I put together a nice post on a
similar DLL hijacking issue that affects Linux (and other POSIX-alikes). You
can read the full details on my blog (http://www.nth-
dimension.org.uk/blog.php?id=87) but the key point is that an empty directory
specification statement in LD_LIBRARY_PATH, PATH (and probably others) is
equivalent to $CWD. That is to say that LD_LIBRARY_PATH=":/lib" is equivalent
to LD_LIBRARY_PATH=".:/lib". It can occur when a script has
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/lib" or similar and LD_LIBRARY_PATH hasn't
previously been defined. It's worth checking for this kind of thing in scripts
that may be run via sudo/su when auditing hosts. I don't believe it's a
vulnerability per se, but particular instances of broken scripts may well be.
Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
If you've seen the recent Microsoft advisory. I put together a nice post on a
similar DLL hijacking issue that affects Linux (and other POSIX-alikes). You
can read the full details on my blog (http://www.nth-
dimension.org.uk/blog.php?id=87) but the key point is that an empty directory
specification statement in LD_LIBRARY_PATH, PATH (and probably others) is
equivalent to $CWD. That is to say that LD_LIBRARY_PATH=":/lib" is equivalent
to LD_LIBRARY_PATH=".:/lib". It can occur when a script has
LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/lib" or similar and LD_LIBRARY_PATH hasn't
previously been defined. It's worth checking for this kind of thing in scripts
that may be run via sudo/su when auditing hosts. I don't believe it's a
vulnerability per se, but particular instances of broken scripts may well be.
Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAABCAAGBQJMdFUfAAoJEPJhpTVyySo7kNIQAIdJuHTG4hdOalanKurfQHbC
xmWkAyd+mvD8s+G8juwTSJXPJ2+q/Sl4iYJq76a2x3ludjPnMGwOY4AZdqmoDYkI
8/+y434KoI4YLcr/bwRj2ag+9phjdjqxMtUbMfdQatAMqbtUIWTc38sdyhB7fOF4
it90HV+QTqjxDyHy965NjY1C/USf4FKyWpYHjcVYw0RSPzvDDQyAvV1qbACZyZ2y
t5pYHnrDwLq7+M98ORoWV43ffraBBbVQjb+qb6ocOOz8kCwX/xQL94qt+GzTWrNg
ZlrQy0Rn6aCB0lZtwNr/KAIw7FruN2csGYiBrQz0GEYIgYKQ4CIURDA5wfJucZil
s9lKEO3ewTP1vP7Lh297nTalNZq3gO2+klmtkiNO4uJQCeTZ0aYfENAYbPUuWznf
yxKR2Q9AcZMkHpZhA7ygcYjrPjLF8iAA/d/ZJA6+fyb/iHmNy4XQL6tM59IRB+ek
S8MGb2cGfHSwYndngpTwxo9R2YEU4nRBE6+iCI2utB/mbfrh1WdtVZtWEFDe+fnP
3xrA4R0PtYq5pGJGrjbHB3le+kc58nIpZu3fJ7wRtS7stZ3L+D3v0SrGju/TnFf+
D1r8bRot9vvLw/YQ2CO5OUV91DMVxwLXwf+CnAvheMukiudGZ5TCMKgpFr9Ux46v
LwVvwpBxUPlf5zADTGYO
=uUZW
-----END PGP SIGNATURE-----
[ reply ]