KEYWORDS: shared objects, dynamic linking,

From: Aycan Irican (aycanat_private)
Date: Sat Oct 20 2001 - 04:13:23 PDT

Next message: ObLiviON: "hotmail javascript bypass"

Previous message: Pedro Miller Rabinovitch: "Re: 0-day exploit..do i hear $1000?"
Next in thread: Aycan Irican: "KEYWORDS: shared objects, dynamic linking,"
Reply: Sebastian Jaenicke: "Re: KEYWORDS: shared objects, dynamic linking,"
Reply: Dom De Vitto: "RE: KEYWORDS: shared objects, dynamic linking,"
Reply: Sebastian Jaenicke: "Re: KEYWORDS: shared objects, dynamic linking,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,
When I'm trying to understand how executables related to shared objects, some 
questions appeared in my mind(trap)...

I'm giving some examples here from the UNIX side...
1.
	$ uname -a
	OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
	$ ls -al /usr/dt/bin/dtterm
	-r-sr-xr-x    1 root     bin           60892 Jun 10 05:03 /usr/dt/bin/dtterm

here dtterm is suid bit set. To see which shared objects it needs,

	$ ldd /usr/dt/bin/dtterm
	/usr/dt/bin/dtterm needs:
	        libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1
		.......
	        /usr/lib/libc.so.1

it's dynamic section includes this,
	Dynamic Section:
	  NEEDED      libDtTerm.so.1
		......
	  RPATH       /usr/dt/lib:/usr/lib
		......
so when it runs, I'm understanding that say "first look /usr/dt/lib for 
loading libDtTerm.so.1".

if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH 
environment so I could make this system to load MY OWN 
libDtTerm.so.1magically :)

but in Linux side say /usr/X11R6/bin/xlock
	[aycan@mars doc]$ uname -a
	Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586 	unknown
	[aycan@mars doc]$ ls -al /usr/X11R6/bin/xlock
	-r-sr-xr-x   1 root     root      1406536 May  3 12:49 /usr/X11R6/bin/xlock

I couldn't see any path when I looked at objdump output ...so I think I can 
export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

what I'm doing wrong here?
is it possible to inject suspicious shared objects so suid program is 
compromised?
any ideas?

tnx...
- -- 
Aycan İrican
Systems Engineer
Prosoft Communication Systems Ltd.
Resit Galip Cad. 85/2 Gaziosmanpaşa 06700 Ankara
Tel:+90-312-446-6616 Fax:+90-312-446-2423
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE70VxaJZJwgy0AK78RAktSAJ40IxAOnqVC2e5iFGe0RCb6ehV00QCfSHbY
IxPObVUkyYzbYgeJecU+thU=
=mdXj
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: ObLiviON: "hotmail javascript bypass"
Previous message: Pedro Miller Rabinovitch: "Re: 0-day exploit..do i hear $1000?"
Next in thread: Aycan Irican: "KEYWORDS: shared objects, dynamic linking,"
Reply: Sebastian Jaenicke: "Re: KEYWORDS: shared objects, dynamic linking,"
Reply: Dom De Vitto: "RE: KEYWORDS: shared objects, dynamic linking,"
Reply: Sebastian Jaenicke: "Re: KEYWORDS: shared objects, dynamic linking,"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 08:44:17 PDT