Re: KSR[T] Advisory #2: ld.so

Julian Assange (proff@SUBURBIA.NET)
Sat, 19 Jul 1997 00:07:59 +1000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: The Nolander: "Correction to my previous message (ld.so)"
Previous message: KSR[T]: "URGENT: Update to ld.so advisory"
Maybe in reply to: KSR[T]: "KSR[T] Advisory #2: ld.so"

> Affected Program: ld.so / ld-linux.so
>
> Problem Description: ld.so is the run-time linker used by dynamically linked
> executables(a.out). Inside the error reporting function
> there is a call to vsprintf, which doesn't check the size
> of the string it is storing in an automatic buffer.
>
> The ELF version of run-time linker(ld-linux.so) is
> vulnerable to an almost identical stack overwrite.

I discovered this attack over a year ago, so let me fill you in.
At that time the a.out ld.so was not vulnerable but ELF ld.so
definately was. Trigging the overflow required a resource starvation
attack on fd's, which was easily performed by setting system resource
consumption limits for file descriptors to an appropriately low value.

FreeBSD was not vulnerable to any ld.so attacks that I could
observe.

--
Prof. Julian Assange  |If you want to build a ship, don't drum up people
                      |together to collect wood and don't assign them tasks
proff@iq.org          |and work, but rather teach them to long for the endless
proff@gnu.ai.mit.edu  |immensity of the sea. -- Antoine de Saint Exupery

Next message: The Nolander: "Correction to my previous message (ld.so)"
Previous message: KSR[T]: "URGENT: Update to ld.so advisory"
Maybe in reply to: KSR[T]: "KSR[T] Advisory #2: ld.so"