

Arbitrary code execution via ldd utility - pkrumins
http://www.catonmat.net/blog/ldd-arbitrary-code-execution/

======
thirdstation
This is only a vulnerability if you don't know what ldd does. The problem is
that it's not necessarily easy to find out what ldd does.

The man pages for Solaris 8-10 will tell you not to run it on untrusted files.
But, if you Google "man ldd" you may get this page (the first result for me,
btw):

<http://unixhelp.ed.ac.uk/CGI/man-cgi?ldd+1>

Which is very sparse. If you are not an experienced SA you may not notice that
the information is old, or not applicable to your platform. There are a lot of
quasi-administrators (techy folk in your dept. w/ admin privileges) who may be
vulnerable to social engineering by a consultant or evil employee (I've seen
both happen).

We are all vulnerable to what we don't know.

~~~
derobert
That link is actually the current one on my Debian testing/Squeeze system. Its
part of at least reasonably current glibc releases.

------
scott_s
I don't consider this "arbitrary code execution." To me, that implies that
someone not logged into the system was able to exploit a vulnerability in an
externally facing application.

In this case, the author assumes a login. That's like explaining how to break
into someone's house and starting with "Okay, you're on the other side of
someone's door. Now you can do what you want!" It just turns out that the
semantics of ldd are to run the program. This is no more arbitrary code
execution than tricking someone on Windows to run your program by saying
"Download this file and double-click it."

~~~
niyazpk
Exactly my thought.

The arbitrary code is executed only when the user tells to do so. This is not
a bug, it is a feature. Computers are supposed to work like that.

Raymond Chen observes: (link:
[http://blogs.msdn.com/oldnewthing/archive/2008/05/16/8510192...](http://blogs.msdn.com/oldnewthing/archive/2008/05/16/8510192.aspx))

 _It is not a security vulnerability that users with permission to shut down
the computer can shut down the computer. This is another example of people
getting excited that they were able to do something unusual. But just because
you can do something unusual doesn’t mean that you’ve found a security
vulnerability._

~~~
scott_s
I thought of Raymond Chen, too! I Googled until I found the entry you found,
but also this one
([http://blogs.msdn.com/oldnewthing/archive/2006/05/08/592350....](http://blogs.msdn.com/oldnewthing/archive/2006/05/08/592350.aspx)),
which has the observation:

 _Code injection doesn't become a security hole until you have elevation of
privilege._

Chen's the one who originally made me realize the distinction between tricking
someone into running a program, and an actual security vulnerability.

------
viraptor
Does anyone know why does `ldd` use the loader? Only to resolve the names? It
seems that you can get the basic names from objdump too (dynamic section /
`NEEDED` symbols)

It seems that it's easy to "secure" this bug... if you have more caps than the
owner of the loader, warn that you need a special flag and exit. Selinux and
similar might make that decision harder though...

~~~
scott_s
My guess is just not wanting to duplicate functionality. The loader needs to
figure out what libraries to load at runtime, and it's easier and more
reliable to just ask the loader than to write code that does the same thing.

------
tptacek
_Sysadmin’s phone_ : ring, ring.

 _Sysadmin_ : “Mr. sysadmin here. How can I help you?”

 _You_ : “Hi. An app that I have been using has started misbehaving. When I
run it, I get an error saying something about the permissions on
/usr/share/zoneinfo-something. Can you help me?”

 _Sysadmin_ : “Sure. What app is it?”

 _You_ : “It’s in my home directory, /home/carl/app/bin/myapp."

 _Sysadmin_ : “Just a sec.” noise from keyboard in the background

 _Sysadmin_ : “I didn't see any error.”

 _You_ : “Nevermind, I figured it out. Thanks!.”

 _Narrator_ : Did you notice what went wrong in this scene? The administrator
was supposed to check the permissions on all the files in /usr/share, thus
earning the slim chance to perform the reproductive act. The next day, the
administrator's planet was destroyed by aliens. Can you guess the name of the
planet? IT WAS EARTH! DON'T DATE ROBOTS."

~~~
rythie
I've been a sysadmin for several years now.

I don't know what would possess me to run that program as me, I would run it
as them. That's if I ran it at all since I would check the fault they reported
first anyway.

~~~
tptacek
Uh-huh. But you'd ldd it as you?

~~~
rythie
Yes I see your point better now. I'd probably would have ldd'ed it till I
found out how it worked from the article, now I won't anymore.

However given that I would know exactly who the user was - any damage that was
intentional by them would have consequences for them.

------
nitrogen
It seems that there may be a use for an ldd-like utility that doesn't actually
load the binary, for use by security researchers. Now that I know it makes
perfect sense, but intuitively I would have expected ldd to just read the data
from the binary directly instead of relying on the system loader.

