___ ___
/ _ \ / _ \
__ __| (_) || | | | ___
\ \/ / \__. || | | | / __|
> < / / | |_| || (__
/_/\_\ /_/ \___/ \___|
------------------------------------------------------------------------
ld-2.5.so security
x90c
------------------------------------------------------------------------
----[ toc
1 - Intro
2 - detection
2.1 - glibc 2.5 rtld security machanisms
2.2 - attack techniques
2.3 - payload injection vectors
3 - conclusion
4 - reference
5 - greets
----[ 1 - Intro
I researched about glibc 2.5 rtld dynamic linker security.
this article detects all security mechanisms and attack
techniques of the rtld. and we can use it for exploit
and to get a new attack technique.
----[ 2 - security mechanism/attack technique detection
----[ 2.1 - glibc 2.5 rtld security mechanisms
There are all security mechanisms(18) detected in glibc
2.5 rtld dynamic linker. We can use it for exploit
dynamic linker or make an attack technique
- --verify: shared object validation option
- SYSINFO_DSO ( Visible/Invisible object )
- --audit: Auditing DSOs
- stack checker's canary
- pointer guard
- preload
- prelinked library validation ( mapped? / checksum /
timestamp )
- __libc_enable_secure internal variable
- /etc/suid-debug file
- dl_main.c: link_map object free guard (link_map->
l_libname->dont_free)
- lazy binding control: LD_BIND_NOT, LD_BIND_NOW environment
- ELF PROT_* protection, PF_* mmap segment permission
- symbol hash: dl_new_hash / DT_HASH.
- debug/profiling: DEBUG_OUTPUT/PROFILE_OUTPUT enviroment
- HWCAP_MASK environment (important hardware capabilities)
- copy relocs (.conflict section)
- debugging dynamic linker
- rtld mode
----[ 2.2 - attack techniques
There is glibc rtld related attck techniques(14) detected
during 1997~2003. Firstly, rtld attack started at 1997
And the last article is 2003. We can use the techniques
after reading phrack article.
1997
-----------------------------------------
- shared library redirection <1>
( LD_PRELOAD&LD_LIBRARY_PATH)
-----------------------------------------
1998
- openbsd TPE glibc preload protection <2>
-----------------------------------------
2000
- LD_BIND_NOW control <3>
- ELF Infection
- PLT Redirection
- PLT Redirection in memory
-----------------------------------------
2001
-----------------------------------------
- ret-into-dl <4>
- GOT overwrite
-----------------------------------------
2002
- plain asm code injection <5>
- .so injection
-----------------------------------------
2003
- Backdooring in 4bytes <6>
- ET_REL injection
- ALTPLT
- .strtab Midification <7>
-----------------------------------------
* <1> halflife <2> daemon9 <3> Silvio <4> Nergal
<5> anonymous author <6> mayhem <7> truff
Much mentioned attack technique is (the order is more much):
[1] LD_* preloads
[2] LD_BIND_* Lazy Binding control
[3] Malicious ELF
[4] dynamic linker run-time code manipulation
[5] glibc run-time code abuse
----[ 2.3 - payload injection vectors
There is payload injection vectors(6) detected.
You can try to discover rtld's security bug with
passing your payload into them
- ldconfig
- libdl (library)
- preloads
- audit DSO
- malicious elf
- environ
----[ 3 - conclusion
You perhaps hard to find a bug in the rtld
of glibc itself. dynamic linker can't have
a bit security bug because the archtecture
reason in the modern os. but we can make
many attck techniques with run-time or
non-runtime(binary manipulation or
environment manipulation)
In summary ...
18 security mechanisms
14 attack techniques
6 payload injection vectors
...
If you do research a dynamic linker. don't
try to get a vulnerability than attack
technique for the specific dynamic linker
----[ 4. reference
[1] 01/09/1997
#51 Shared Library Redirection
halflife. http://www.phrack.org/issues.html?issue=51&id=8&mode=txt
[2] 25/12/1998
#54 Hardening OpenBSD for Multiuser Environments
route. http://www.phrack.org/issues.html?issue=54&id=6&mode=txt
[3] 01/05/2000
#56 Shared Library Redirection via ELF PLT Infection
Silvio. http://www.phrack.org/issues.html?issue=56&id=7&mode=txt
[4] 28/12/2001
#58 Advanced return-into-lib(c) exploits (PaX case study)
nergal. http://www.phrack.org/issues.html?issue=58&id=4&mode=txt
[5] #58 Armouring the ELF: Binary encryption on the UNIX platform
grugq, scut@team-teso. http://www.phrack.org/issues.html?issue=58&id=5&mode=txt
[6] 28/07/2002
#59 Runtime process infection
anonymous author. http://www.phrack.org/issues.html?issue=59&id=8&mode=txt
[7] 13/08/2003
#61 The Cerberus ELF interface
mayhem. http://www.phrack.org/issues.html?issue=61&id=8&mode=txt
[8] #61 Infection Loadable Kernel Modules
truff. http://www.phrack.org/issues.html?issue=61&id=10&mode=txt
[9] 01/08/2005
#63 Embedded ELF Debugging : the middle head of Cerberus
Elfsh crew. http://www.phrack.org/issues.html?issue=63&id=9&mode=txt
[10] 17/11/2010
#67 Scraps of notes on remote stack overflow exploitation
pi3. http://www.phrack.org/issues.html?issue=67&id=13&mode=txt
----[ 5. greets
#phrack@efnet
#social@overthewire
EOF