BugTraq
Breaking the links: Exploiting the linker Jun 29 2011 08:53PM
Tim Brown (timb nth-dimension org uk) (1 replies)
I've recently been working on a paper on Linux and POSIX linkers, the most
recent release of which can be found at:

* http://www.nth-dimension.org.uk/downloads.php?id=77

I'm particularly interested in feedback on references or threats that I may
have missed. As per the abstract, the aim of the paper wasn't to claim
everything as my own but rather to document as much as possible about common
flaws and how to identify them.

Whilst working on the paper I came across a number of interesting bugs (some
exploitable, others sadly not). The paper itself touches on the circumstances
around CVE-2011-1126 but two other bugs also mentioned in the paper (one of
which I released the advisory NDSA20110310 for) are potentially more useful so
I've written PoC to exploit them:

1) http://www.nth-dimension.org.uk/downloads.php?id=83 - Privesc attack using
DB2 from normal user to root, the PoC is for Linux but based on testing the
AIX version looks iffy too although I couldn't get gcc to generate a valid
library to exploit it.
2) http://www.nth-dimension.org.uk/downloads.php?id=80 - Generic attack on the
QNX runtime linker which abuses an arbitrary file overwrite and race condition
to get root.

The paper is still a work in progress but both DB2 and QNX are available for
download if you want to take them for a spin. Anyway, enjoy!

Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCAAGBQJOC5DeAAoJEPJhpTVyySo7NzUP/0a7mkR9LbnYE78UoohX+tY7
SFCElqfe5Qtx6tLnHBNLiAqCZ4BraB8HBF2/b6MEnz+j2K6CBR+bW/alw1vWjL01
U4q0fRwJMDqKyiHWjBLTKy+BaIV72pj6hoJwf4ASS7IIagqACJOrZbAxgSIXJyEM
ujBampjH0QVL/N+epkEendwYHXrrE7azT8Bhm5+S6X7r6KQln57svaL8Zn38+Ana
FN5gYyjnZ4Sjcm5NR3uVg9DqQJ3ORo4/iUEDumSkc4AN/x152OY933YmBsalME5v
lsYT2ziN3dMTBYbvMLGESHxRIrVdsvHa6DoRXNAEIBCg7MMgsmSlsXjp9jjYKwmM
aCAGrGeE+p+ismR0pGdKP4YfPcIBKMK+zAiT9pCzuOcASLL+rI0hIg/+DQKutvjQ
qYPCUGx377JGvMhN0EsGrSDlaMgcBmAK2MZJtg3jtpt1zJ5JZag3b2MhGMjdFiS5
acoPIjZoaWCE7HntmSq1yJp4FByi9n1wzE/GcchlHykpi6i/lNWC2b5IYNZREf8z
8hnBIu20bb4IDJfj4i6mIzgF3xF0Nd5sw00BN8KURIniD05KJjA9RvgYktdVEYrK
juyvI6x8AZC5YB9eoVuyRELnDMl/XgSZOFaFn2TBMEgGH/3jqX0SGMj9mmA2onau
e4di2SQ+xl+34jcmXxas
=Z8sx
-----END PGP SIGNATURE-----

[ reply ]
Re: [Full-disclosure] Breaking the links: Exploiting the linker Oct 16 2011 06:16PM
Tim Brown (timb nth-dimension org uk)


 

Privacy Statement
Copyright 2010, SecurityFocus