Re: Solaris ld.so possibly vulnerable?

Casper Dik (casper@HOLLAND.SUN.COM)
Tue, 22 Jul 1997 11:47:28 +0200

>As for the existance of a stack overrun condition similar to the one
>in Linux in the Solaris ld.so, I do not believe this to be the case.
>
>The bug the program you posted triggers is indeed becasue of a call to
>strcpy(), however the buffers in question are not on the stack but are
>malloc()ed during run time. (There are some cases where ld.so first calls
>strlen() to determine how much memory to ask malloc() for, if I remember
>correctly; obviously, the particular instance you've discovered is not one
>of those).

The bug is in a routine that formats error messages into a dynamically allocated
buffer.

SInce the buffer will live after the program's data segment, the _iob
(stdioflow) trick won't work on it.

Also, when applied to a set-uid/set-gid program it isn't possible to
force an ld.so error using LD_PRELOAD (ignored) or many of the
other LD_ variables; they're mostly ignored)

However, in some versions of Solaris such errors are generated by the
implementation of dynamically loadable functionality and on such systems
you can crash set-uid executables.

Casper