On Wed, 25 Aug 1999, Michael K. Johnson wrote: > Let's make sure we understand this correctly: > > #!/bin/sh > /lib/ld-linux.so.2 "$@" > > is roughly equivalent to: > > #!/bin/sh > file=$1 > shift > cp $file /tmp > /tmp/$file "$@" > rm /tmp/$file No, it isn't equivalent. Noone said /tmp is mounted with exec option. What I'm trying to tell is that noexec is *NOT* a mechanism provided for security reasons, and it's at least stupid to use it against hackers, while a lot of administrators love restricting execution of custom programs to prevent exploits, while this is the simpliest method (don't even thinkin' about LD_PRELOAD and so on). > And, of course, no one is capable of using mmap and PROT_EXEC to do > their own ld-linux.so-like wrapper, especially since no one has the > glibc source code to start from. ;-) If noone is capable of using his own programs, noone is capable of using his own linker. > It is unfortunate that people think that it is a security feature, and > I will say that you have found one of the more interesting and subtle > ways to show that it is not a security feature, but this is NOT a > glibc bug. Yep, yep, sorry, I didn't wanted to say it's a bug (and didn't said it ;), I say that it is the simpliest way to bypass noexec and security by obscurity stinks ;P Regards, _______________________________________________________________________ Michal Zalewski [lcamtufat_private] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:40 PDT