2014-02-17 20:48 GMT+01:00 Miod Vallat <[email protected]>: >> Attacks with LD_PRELOAD are very old and can >> be performed on any OS where you have dynamic linking (Linux, *BSD >> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff. > > You forgot to mention that the value of LD_PRELOAD is ignored for set*id > executables, in order to prevent these kind of games.
thx, I wasn't sure of this, but it's good to hear that. http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.so/loader.c?rev=1.147;content-type=text%2Fplain from loader.c /* * Don't allow someone to change the search paths if he runs * a suid program without credentials high enough. */ _dl_trust = !_dl_issetugid(); if (!_dl_trust) { /* Zap paths if s[ug]id... */ if (_dl_libpath) { _dl_free_path(_dl_libpath); _dl_libpath = NULL; _dl_unsetenv("LD_LIBRARY_PATH", envp); } if (_dl_preload) { _dl_preload = NULL; _dl_unsetenv("LD_PRELOAD", envp); } It actually should reduce the risk for set*id(), but this in the past related to CVE-2006-6164 (_dl_unsetenv())? Daniel > > Miod
