
Remote LD_PRELOAD Exploitation - pentestercrab
https://www.elttam.com.au/blog/goahead/
======
londons_explore
The unix security model of "you have to know how it works to make it secure"
is starting to show it's issues...

Clearly, the author of this code thought of environment variables as any other
kind of variable - a simple key-value map, which can have any keys and any
values.

The fact that there are special keys and special values is just insane. Either
environment variables should be a general purpose key value map, with no
special values, or it should have _all_ special values, pre-allocated keys
which don't allow collisions, or not allow custom definitions at all.

There are lots of cases of this across unix-like OS's. For example
"directories contain a special entry called '..' which goes up a level" or
"TCP ports under 1024 are 'special'.

This is, in my opinion, poor API design, and we're paying for it now in the
form of bugs and security issues.

------
half-kh-hacker
Wow - Using stdin as the LD_PRELOAD target seems super obvious in retrospect,
now.

Good job to the author(s).

