You're viewing a comment by Peter Cordes and its responses.

Peter Cordes Permalink
October 27, 2009, 23:03

This is a unsafe-ldd problem is different from the old one. I remember learning that a.out ldd just ran the executable with argc=1 (i.e. argv[0]==NULL), and that would cause the dynamic a.out dynamic linker to dump library deps. Obviously that's easy to exploit, since you just need a static binary with startup code that doesn't exit with no args.

I was under the impression that ELF ldd was safe, because ld.so printed the dependencies without execing the binary directly. I don't know if it ever was safe, but it's obviously not now, I guess due to the "feature" of supporting binaries that use a non-standard dynamic linker. /sigh. Maybe that feature should only be enabled with ldd --insecure, or something.

LD_TRACE_LOADED_OBJECTS=1 /lib/ld-2.9.so /bin/ls works, and if that's exploitable it's a bug in ld.so, right?

Unfortunately there is no "ld.so": it's really /lib/ld-linux-x86-64.so.2 or ld-linux.so.2 or ld-2.9.so. I guess that's why ldd takes the insecure easy route of running the executable if it has exec permission.

While assuming a secure ldd is a bad habit, since other Unixes don't have a secure ldd, it never hurts to make a system that doesn't suffer from the same problems as other systems. Is openBSD's ldd safe on arbitrary binaries?

Reply To This Comment

(why do I need your e-mail?)

(Your twitter name, if you have one. (I'm @pkrumins, btw.))

Type the first letter of your name: (just to make sure you're a human)

Please preview the comment before submitting to make sure it's OK.