
Exploiting ELF Expansion Variables - abelpmathew
http://backtrace.io/blog/blog/2016/06/29/exploiting-elf-expansion-variables/
======
JoshTriplett
> In IllumOS non-privileged users are allowed to create hard links of setuid
> executables which is necessary in order for exploitation of this
> vulnerability to achieve privileged code execution.

> NOTE: Various Linux distributions have incorporated patches that restrict
> symbolic link behavior, preventing security vulnerabilities such as the one
> we are about to demonstrate.

Linux distributions also restrict hardlink behavior, which addresses this
issue. This seems like the key point. In current Linux, by default, you can't
create a hardlink to someone else's file, setuid or otherwise.

~~~
cyphar
And also the Linux kernel has protections against unsafe symlinks too[1].

[1]:
[http://danwalsh.livejournal.com/64493.html](http://danwalsh.livejournal.com/64493.html)

------
_pmf_
Hm, might the changes to Android's dynamic linking behavior described here [0]
also be related to similar actual or possible attack vectors?

[0] [http://android-developers.blogspot.de/2016/06/android-
change...](http://android-developers.blogspot.de/2016/06/android-changes-for-
ndk-developers.html)

------
z_
For those interested in CTFs techniques or an intro to system exploitation,
this is a good read.

