-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi there, When I'm trying to understand how executables related to shared objects, some questions appeared in my mind(trap)... I'm giving some examples here from the UNIX side... 1. $ uname -a OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5 $ ls -al /usr/dt/bin/dtterm -r-sr-xr-x 1 root bin 60892 Jun 10 05:03 /usr/dt/bin/dtterm here dtterm is suid bit set. To see which shared objects it needs, $ ldd /usr/dt/bin/dtterm /usr/dt/bin/dtterm needs: libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1 ....... /usr/lib/libc.so.1 it's dynamic section includes this, Dynamic Section: NEEDED libDtTerm.so.1 ...... RPATH /usr/dt/lib:/usr/lib ...... so when it runs, I'm understanding that say "first look /usr/dt/lib for loading libDtTerm.so.1". if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH environment so I could make this system to load MY OWN libDtTerm.so.1magically :) but in Linux side say /usr/X11R6/bin/xlock [aycan@mars doc]$ uname -a Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586 unknown [aycan@mars doc]$ ls -al /usr/X11R6/bin/xlock -r-sr-xr-x 1 root root 1406536 May 3 12:49 /usr/X11R6/bin/xlock I couldn't see any path when I looked at objdump output ...so I think I can export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :) what I'm doing wrong here? is it possible to inject suspicious shared objects so suid program is compromised? any ideas? tnx... - -- Aycan Ŭrican Systems Engineer Prosoft Communication Systems Ltd. Resit Galip Cad. 85/2 Gaziosmanpaŝa 06700 Ankara Tel:+90-312-446-6616 Fax:+90-312-446-2423 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE70VxaJZJwgy0AK78RAktSAJ40IxAOnqVC2e5iFGe0RCb6ehV00QCfSHbY IxPObVUkyYzbYgeJecU+thU= =mdXj -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Sat Oct 20 2001 - 11:09:02 PDT