You're viewing a comment by Peter Cordes and its responses.
|
Computers are useless. They can only give you answers. |
About the site:
Twitter
Facebook
Plurk
more
GitHub
LinkedIn
FriendFeed
Google PlusSubscribe to my posts:
Server Sponsors
I am being sponsored by Syntress! They bought me an amazing dedicated server to run catonmat on. If you're looking web services, I highly recommend the Syntress guys!
Education Sponsors
I am being sponsored by A-Writer! If you ever need help with essay writing, look no further than A-Writer! They will help you with your writing in as quickly as 3 hours!
My Amazon Wish List
I love to read science books. They make my day and I get ideas for awesome blog posts, such as Busy Beaver, On Functors, Recursive Regular Expressions and many others.
Take a look at my 
Amazon wish list, if you're curious about what I have planned reading next, and want to surprise me. :)
My Other Websites
Top Ten Articles:
- Top Ten One-Liners from CommandLineFu Explained
- My Job Interview at Google
- MIT's Introduction to Algorithms, Lectures 1 and 2: Analysis of Algorithms
- Famous Awk One-Liners Explained, Part I: File Spacing, Numbering and Calculations
- The Definitive Guide to Bash Command Line History
- Working Productively in Bash's Vi Command Line Editing Mode (with Cheat Sheet)
- Famous Sed One-Liners Explained, Part I: File Spacing, Numbering and Text Conversion and Substitution
- Vim Plugins You Should Know About, Part VI: nerd_tree.vim
- Vim Plugins You Should Know About, Part I: surround.vim
- Low Level Bit Hacks You Absolutely Must Know
Top Ten Downloads:
- awk cheat sheet (.pdf) (106,124)
- bash history cheat sheet (.pdf) (91,972)
- perl's pack/unpack and printf cheat sheet (.pdf) (80,791)
- sed stream editor cheat sheet (.pdf) (71,782)
- screen cheat sheet (.pdf) (58,488)
- perl's special variable cheat sheet (.pdf) (54,583)
- bash vi editing mode cheat sheet (.pdf) (49,968)
- perl1line.txt (49,730)
- the bill gates song.mp3 (musical geek friday #8) (47,153)
- crypt-o.mp3 (musical geek friday #1) (45,455)
Recent Articles:
- Announcing real IEs for Browserling
- Introduction to Perl one-liners
- A quine in node.js
- A poem about division from Hacker's Delight
- The curious case of the DES algorithm
- A proof that Unix utility "sed" is Turing complete
- Review of Clickatell's SMS Service
- Here is why vim uses the hjkl keys as arrow keys
- Announcing dedicated servers for Browserling
- Announcing my third e-book "Perl One-Liners Explained"
Article Categories:
- Awk Programming (8)
- Browserling Startup (12)
- Cheat Sheets (9)
- Computer Science (9)
- Hacker's Approach (5)
- Howto (10)
- Introduction to Algorithms (15)
- Linear Algebra (6)
- Mathematics (1)
- Misc (9)
- Musical Geek Friday (17)
- Node.js Modules (15)
- Perl Programming (14)
- Programming (31)
- Projects (13)
- Security (1)
- The New Catonmat (1)
- Tools (1)
- Unix Shell (18)
- Video Lectures (17)
- Visual Math Friday (1)
Article Archive:
- May, 2012 (3)
- April, 2012 (4)
- March, 2012 (2)
- February, 2012 (1)
- January, 2012 (4)
- December, 2011 (15)
- November, 2011 (3)
- October, 2011 (2)
- September, 2011 (2)
- August, 2011 (3)
- July, 2011 (1)
- June, 2011 (2)
- May, 2011 (1)
- April, 2011 (1)
- March, 2011 (1)
- February, 2011 (1)
- January, 2011 (1)
- December, 2010 (2)
- November, 2010 (1)
- October, 2010 (1)
- September, 2010 (1)
- August, 2010 (2)
- July, 2010 (2)
- June, 2010 (2)
- May, 2010 (2)
- April, 2010 (2)
- March, 2010 (5)
- February, 2010 (5)
- January, 2010 (7)
- December, 2009 (6)
- November, 2009 (6)
- October, 2009 (2)
- September, 2009 (3)
- August, 2009 (2)
- July, 2009 (4)
- June, 2009 (1)
- April, 2009 (1)
- March, 2009 (2)
- February, 2009 (7)
- January, 2009 (4)
- December, 2008 (8)
- November, 2008 (7)
- October, 2008 (4)
- September, 2008 (5)
- August, 2008 (9)
- July, 2008 (14)
- June, 2008 (4)
- May, 2008 (5)
- April, 2008 (8)
- March, 2008 (3)
- February, 2008 (1)
- January, 2008 (1)
- November, 2007 (1)
- October, 2007 (3)
- September, 2007 (5)
- August, 2007 (10)
- July, 2007 (9)
Advertisements
Advertisements
Advertisements
This is a unsafe-ldd problem is different from the old one. I remember learning that a.out ldd just ran the executable with argc=1 (i.e. argv[0]==NULL), and that would cause the dynamic a.out dynamic linker to dump library deps. Obviously that's easy to exploit, since you just need a static binary with startup code that doesn't exit with no args.
I was under the impression that ELF ldd was safe, because ld.so printed the dependencies without execing the binary directly. I don't know if it ever was safe, but it's obviously not now, I guess due to the "feature" of supporting binaries that use a non-standard dynamic linker. /sigh. Maybe that feature should only be enabled with ldd --insecure, or something.
LD_TRACE_LOADED_OBJECTS=1 /lib/ld-2.9.so /bin/ls works, and if that's exploitable it's a bug in ld.so, right?
Unfortunately there is no "ld.so": it's really /lib/ld-linux-x86-64.so.2 or ld-linux.so.2 or ld-2.9.so. I guess that's why ldd takes the insecure easy route of running the executable if it has exec permission.
While assuming a secure ldd is a bad habit, since other Unixes don't have a secure ldd, it never hurts to make a system that doesn't suffer from the same problems as other systems. Is openBSD's ldd safe on arbitrary binaries?
Reply To This Comment