OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aycan Irican (aycanmars.prosoft.com.tr)
Date: Sat Oct 20 2001 - 06:13:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi there,
    When I'm trying to understand how executables related to shared objects, some
    questions appeared in my mind(trap)...

    I'm giving some examples here from the UNIX side...
    1.
            $ uname -a
            OpenUNIX feeddead 5 8.0.0 i386 x86at Caldera UNIX_SVR5
            $ ls -al /usr/dt/bin/dtterm
            -r-sr-xr-x 1 root bin 60892 Jun 10 05:03 /usr/dt/bin/dtterm

    here dtterm is suid bit set. To see which shared objects it needs,

            $ ldd /usr/dt/bin/dtterm
            /usr/dt/bin/dtterm needs:
                    libDtTerm.so.1 => /usr/dt/lib/libDtTerm.so.1
                    .......
                    /usr/lib/libc.so.1

    it's dynamic section includes this,
            Dynamic Section:
              NEEDED libDtTerm.so.1
                    ......
              RPATH /usr/dt/lib:/usr/lib
                    ......
    so when it runs, I'm understanding that say "first look /usr/dt/lib for
    loading libDtTerm.so.1".

    if it doesn't defined here I think I can overwrite the LD_LIBRARY_PATH
    environment so I could make this system to load MY OWN
    libDtTerm.so.1magically :)

    but in Linux side say /usr/X11R6/bin/xlock
            [aycanmars doc]$ uname -a
            Linux deadbeef 2.4.12 #13D SMP Wed Oct 17 11:54:46 CEST 2001 i586 unknown
            [aycanmars doc]$ ls -al /usr/X11R6/bin/xlock
            -r-sr-xr-x 1 root root 1406536 May 3 12:49 /usr/X11R6/bin/xlock

    I couldn't see any path when I looked at objdump output ...so I think I can
    export my LD_RUN_PATH variable to inject MY OWN libXpm.so.4 magically :)

    what I'm doing wrong here?
    is it possible to inject suspicious shared objects so suid program is
    compromised?
    any ideas?

    tnx...
    - --
    Aycan Ŭrican
    Systems Engineer
    Prosoft Communication Systems Ltd.
    Resit Galip Cad. 85/2 Gaziosmanpaŝa 06700 Ankara
    Tel:+90-312-446-6616 Fax:+90-312-446-2423
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    iD8DBQE70VxaJZJwgy0AK78RAktSAJ40IxAOnqVC2e5iFGe0RCb6ehV00QCfSHbY
    IxPObVUkyYzbYgeJecU+thU=
    =mdXj
    -----END PGP SIGNATURE-----