Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG

from [Solar Designer] Network Security [Permanent Link]
Subject: Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
Date: Sat, 21 Aug 2004 09:02:02 +0400 
On Fri, Aug 20, 2004 at 03:24:53AM -0400, Jim Paris wrote:

Silvio Cesare discovered a potential information leak in glibc. It
allows LD_DEBUG on SUID binaries where it should not be allowed. This
has various security implications, which may be used to gain
confidentional information.


It's worse than that.  You can essentially single-step through the
library calls of a binary by turning on verbose debugging through
LD_DEBUG and then carefully controlling stdout so that the program
blocks while writing the debugging output.  I've used this to exploit
race conditions in setuid binaries that would otherwise be nearly
impossible to trigger.

Gentoo's method of adding LD_DEBUG to UNSECURE_ENVVARS will prevent
this.


FWIW, this has been dealt with in Openwall GNU/*/Linux (Owl) before our
project was first announced to the public 3+ years ago.  ALT Linux is
another (or the other?) distribution vendor which also dealt with this
roughly 3 years ago.

Our patch sets and replacements for the various packages are available
for consideration and possible re-use by other distributions.  The
patches are easy to get without having to download the entire system -
as a small tarball (only 1.5 MB gzipped) available on our FTP mirrors
or from our public anoncvs and CVSweb servers:

        http://www.openwall.com/Owl/DOWNLOAD.shtml

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-Disclosure] [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers, bashis
Next by Date:  MDKSA-2004:086 - Updated kdelibs and kdebase packages fix multiple vulnerabilities, Mandrake Linux Security Team
Previous by Thread:  Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG, Jim Paris
Next by Thread:  First vulnerabilities in the SP2 - XP ?..., Jérôme
Indexes:  [Date] [Thread] [Top] [All Lists]