OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marlon Jabbur (mjabburterra.com.br)
Date: Wed Apr 24 2002 - 15:07:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I've tried in a Debian Woody box using /lib/ld-2.2.5.so and it worked.

    Marlon

    Tech Support wrote:

    >I tried this and it seemed to not work on my Linux system. I'm running both
    >RedHat 7.1 and 6.0
    >
    >-----Original Message-----
    >From: Sabau Daniel [mailto:dravenUBBCluj.Ro]
    >Sent: Monday, April 22, 2002 2:44 AM
    >To: vuln-devsecurityfocus.com
    >Cc: focus-linuxsecurityfocus.com
    >Subject: /lib/ld-2.2.4.so
    >
    >
    >or:
    >lrwxrwxrwx 1 root root 11 Apr 15 12:01 /lib/ld-linux.so.2
    >-> ld-2.2.4.so
    >
    > This file gives users the ability of running binaries on witch the
    >user doesn't have the permission to execute, it is enough to have read
    >ability on the file in order to execute it:
    >
    >-rwxr-xr-- 1 root root 45948 Aug 9 2001 /bin/ls
    >
    >but using the /lib/ld-2.2.4.so file i can execute the ls command:
    >
    >[08:51:36][dravenZero:~]:$/lib/ld-2.2.4.so /bin/ls /
    >bin bzImage bzImage3 bzImage5 dev home lib mnt proc sbin
    >usr
    >boot bzImage2 bzImage4 bzImage6 etc initrd misc opt root tmp
    >var
    >
    >i do not have root preveleges on this account:
    >
    >[08:51:38][dravenZero:~]:$id
    >uid=1000(draven) gid=10(wheel) groups=10(wheel),16(trust)
    >
    >The most interesting part is running binaries on partitions mounted with
    >noexec, lets take this partition:
    >
    >/dev/sda9 on /home/friends type ext2
    >(rw,noexec,nosuid,nodev,usrquota,grpquota)
    >
    >i've created a shell acount with the home directory:
    >
    >[mjjZero mjj]$ pwd
    >/home/friends/mjj
    >
    >and wrote this C code in a file test.c
    >
    >#include <stdio.h>
    >void main(void)
    >{
    > printf ("Test");
    >}
    >
    >i've compiled it & tryed to run:
    >
    >[mjjZero mjj]$ ./a.out
    >bash: ./a.out: Permission denied
    >
    >but when i try to run it with /lib/ld-2.2.4.so:
    >
    >[mjjZero mjj]$ /lib/ld-2.2.4.so ./a.out
    >Test
    >
    >the important thing is to include a full path in the binary name to be
    >able to execute it.
    >in the same way i've managed to run the ptrace exploit on a nosuid
    >partition
    >i'm running a 2.4.18 kernel with grsecurity-1.9.4 patch on a Red Hat
    >Linux 7.2 box, but i've succeded running this file on different linux
    >boxes and i've been succesfull, please if anyone know how to eliminate
    >this hole in my security give me a replay. If i try to change the mode on
    >/lib/ls-2.2.4.so to 700, the users will not be able to login on my linux
    >box, so this is not a solution:)
    >
    >10x,
    >Dan Sabau
    >
    >
    >--
    >
    >
    >"From all the things I lost,
    >My mind, I miss the most!"
    >
    >echo '16i[q]sa[ln0=aln100%Pln100/snlbx]sb20293A2058554E494Csnlbxq'|dc
    >
    >
    >
    >
    >
    >