Re: Solaris ld.so possibly vulnerable?

casperHOLLAND.SUN.COM

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Alan Cox: "Re: better snprintf replacement, anyone?"
• Previous message: Casper Dik: "Re: procmail"
• In reply to: Adam Morrison: "Re: Solaris ld.so possibly vulnerable?"

>As for the existance of a stack overrun condition similar to the one
>in Linux in the Solaris ld.so, I do not believe this to be the case.
>
>The bug the program you posted triggers is indeed becasue of a call to
>strcpy(), however the buffers in question are not on the stack but are
>malloc()ed during run time.  (There are some cases where ld.so first calls
>strlen() to determine how much memory to ask malloc() for, if I remember
>correctly; obviously, the particular instance you've discovered is not one
>of those).


The bug is in a routine that formats error messages into a dynamically allocated
buffer.

SInce the buffer will live after the program's data segment, the _iob
(stdioflow) trick won't work on it.

Also, when applied to a set-uid/set-gid program it isn't possible to
force an ld.so error using LD_PRELOAD (ignored) or many of the
other LD_ variables; they're mostly ignored)

However, in some versions of Solaris such errors are generated by the
implementation of dynamically loadable functionality and on such systems
you can crash set-uid executables.


Casper

• Next message: Alan Cox: "Re: better snprintf replacement, anyone?"
• Previous message: Casper Dik: "Re: procmail"
• In reply to: Adam Morrison: "Re: Solaris ld.so possibly vulnerable?"