LD_PRELOAD attack
Alexander W. Janssen
yalla at fsfe.org
Wed Jun 11 23:30:47 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
(forwarded this message)
michael graffam schrieb:
> It's easy to solve the problem: all you need is a trusted strcmp() (i.e
> one linked directly w/ main() )..
>
> Before you do anything else, main() checks the environment pointer with
> the trusted strcmp() to make sure LD_PRELOAD isn't present. If it is,
> bail with a message. Done.
Interesting approach, but even if the variable LD_PRELOAD is empty or
doesn't exist, the process running in a compromised shell still runs the
preloaded-lib. Even if you have a trusted strcmp(), it wouldn't change
the fact that the lib gets loaded anyway.
> An LD_PRELOADed lib wouldn't have a chance to get hooked.
Well, even if the env-var isn't there, it still get's loaded!
Alex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iQCVAwUBSFBEBRYlVVSQ3uFxAQLSagP+ONzt6GC+AVlgudwb+Agx6JeKKLC9teg8
cOPSRlDBXTWvH5qZakEOEy+9is6ALWRUA4N5soYiKnra1v9FiEDVqfFxqhsa2V5P
4TE/g+FxuR744zYAbJspJHH5zxxaSX35+epzTJ5I6+zmxLvWLFL+Eed9fmE5ljW/
kr0AjDcNKMI=
=Jbu1
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list