Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Unix Technology

Arbitrary Code Execution With "ldd" 184

Posted by kdawson from the so-easy dept.
pkrumins writes "The ldd utility is more vulnerable than you think. It's frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong! It turns out that running ldd on an executable can result in executing arbitrary code. This article details how such executable can be constructed and comes up with a social engineering scenario that may lead to system compromise. I researched this subject thoroughly and found that it's almost completely undocumented."
This discussion has been archived. No new comments can be posted.

Arbitrary Code Execution With "ldd" More

Arbitrary Code Execution With "ldd"

Comments Filter:

  • the bug is not in ldd (Score:4, Informative)

    by FranTaylor ( 164577 ) on Monday October 26, 2009 @11:24AM (#29872887)

    If you had read the article closely you would understand that the bug is not in ldd, it is in the dynamic loader.

  • Re:Another WIN in WINdows (Score:5, Informative)

    by Fizzl ( 209397 ) <fizzl@@@fizzl...net> on Monday October 26, 2009 @11:28AM (#29872921) Homepage Journal

    http://www.dependencywalker.com/ [dependencywalker.com]

  • Re:Another WIN in WINdows (Score:5, Informative)

    by MyLongNickName ( 822545 ) on Monday October 26, 2009 @11:30AM (#29872949) Journal

    Yup. I've used it. It is a very useful tool. Note that this is not something built into Windows.

  • Re:Another WIN in WINdows (Score:5, Informative)

    by joebp ( 528430 ) on Monday October 26, 2009 @11:31AM (#29872955) Homepage
    depends.exe does exactly this and ships with the platform sdk.

  • And the point is... (Score:2, Informative)

    by FlyingBishop ( 1293238 ) on Monday October 26, 2009 @11:34AM (#29872983)

    So, firstly, don't run ldd as root. (I use sudo, so no issues there.)

    Secondly, don't use ldd on untrusted binaries. If you don't trust it why are you trying to run it? I suppose this is useful to see if the attacker is being really obvious and dynamically linking to net-code in a program that shouldn't need net, but other than that I don't see where this is going to be a serious problem, except in the case where you have a direct line to your sysadmin, but if that's the case there are probably a dozen different ways you can trick him into running arbitrary code, not the least of which is "hey, can you install this for me? I need it to get x done." If you're intelligent enough to hack a binary, I think you're intelligent enough that you can come up with a plausible reason your admin should install something you compiled yourself.

  • Re:the bug is not in ldd (Score:4, Informative)

    by Timothy Brownawell ( 627747 ) <tbrownaw@prjek.net> on Monday October 26, 2009 @11:46AM (#29873149) Homepage Journal

    If you had read the article closely you would understand that the bug is not in ldd, it is in the dynamic loader.

    The bug is that ldd executes the dynamic loader, which is specified by the executable being inspected. So if the executable claims to use ~/bin/evil.so as a loader instead of the standard /lib/ld-linux.so, then ldd will execute ~/bin/evil.so.

  • Re:And the point is... (Score:0, Informative)

    by Anonymous Coward on Monday October 26, 2009 @11:48AM (#29873189)
    So, firstly, don't run ldd as root. (I use sudo, so no issues there.)

    Dude, what are you smokin'? "sudo ldd " IS running it as root. learn2comprehend

  • use readelf (Score:1, Informative)

    by Anonymous Coward on Monday October 26, 2009 @11:56AM (#29873305)

    readelf -d

  • Re:Specific to Linux? (Score:3, Informative)

    by __aasqbs9791 ( 1402899 ) on Monday October 26, 2009 @11:57AM (#29873321)

    From what I can tell, you can't really fix this as it is what the program does (though I could be wrong). It runs the program to find out what libraries it requires. That's why there's a warning that tells you not to run this on an untrusted program (linked to in a post above). It's sort of like saying sudo is a vulnerability because it lets you run untrusted program code.

  • Re:Specific to Linux? (Score:3, Informative)

    by theCoder ( 23772 ) on Monday October 26, 2009 @12:00PM (#29873375) Homepage Journal

    The author mentioned that on BSD the `ldd' app is a C app that does basically what the Linux shell script `ldd' does. The Solaris `ldd' is also an app, so I can't verify that it's the same as on BSD, but setting LD_TRACE_LOADED_OBJECTS=1 before running an application does cause ldd like output, so I would suspect the same rules apply under Solaris as described in the article.

  • Wrong (Score:1, Informative)

    by Anonymous Coward on Monday October 26, 2009 @12:15PM (#29873535)

    Actually, that is wrong. Dependency Walker can, if you order it to, execute arbitrary code. It has to, because otherwise you could never have the profiling feature that enables you to hunt for hidden run-time dependencies.

  • Re:Specific to Linux? (Score:2, Informative)

    by Anonymous Coward on Monday October 26, 2009 @01:18PM (#29874295)

    on NetBSD 4.0_STABLE:

    > LD_TRACE_LOADED_OBJECTS=1 ls

    shows normal ls output

    > file `which ldd` /usr/bin/ldd: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for NetBSD 4.0, dynamically linked (uses shared libs), not stripped

    I've looked through the NetBSD ldd source and it does seem to parse the elf imports table etc rather then running the program.

  • Re:the bug is not in ldd (Score:5, Informative)

    by marcansoft ( 727665 ) <hector@TOKYOmarcansoft.com minus city> on Monday October 26, 2009 @01:22PM (#29874373) Homepage

    The bug is that ldd is trying to do the impossible: list dynamic dependencies for executables that it doesn't understand (more precisely: executables that don't use glibc and/or the standard linking mechanisms). The catch is that glibc's implementation offloads this task onto the dynamic linker, and whoever wrote ldd thought the rest of the world would be nice and follow ld-linux's environment variable convention with their dynamic loaders. And, of course, this completely violates the assumption that ldd treats its argument as data, and will not run code from it.

    What ldd needs to do is realize that trying to be generic is futile, and either a) check for ld-linux and bail if otherwise, or b) become a real C app (using libbfd?) that can inspect the executable as data, which might gain it compatibility with other loaders if they follow the same ELF ABI for dependency specification. And under no circumstances actually call out to any untrusted code or libraries to do this.

  • Documented in ldd(1) and Program Library HOWTO (Score:4, Informative)

    by dwheeler ( 321049 ) on Monday October 26, 2009 @02:26PM (#29875213) Homepage Journal
    This is documented, and in multiple places. My Program Library HOWTO, section "Shared Libraries" [dwheeler.com], says the following, and it's dated in 2000: "Beware: do not run ldd on a program you don't trust. As is clearly stated in the ldd(1) manual, ldd works by (in certain cases) by setting a special environment variable (for ELF objects, LD_TRACE_LOADED_OBJECTS) and then executing the program. It may be possible for an untrusted program to force the ldd user to run arbitrary code (instead of simply showing the ldd information). So, for safety's sake, don't use ldd on programs you don't trust to execute." Now I'd agree that it would better if ldd were changed to NOT do this. If the result of this article is a change in its code to not do this, that would be a great result. But it's simply not true that this is undocumented.

  • Re:The problem is the executable (Score:3, Informative)

    by david_thornley ( 598059 ) on Monday October 26, 2009 @04:47PM (#29877115)
    There's different ways of getting compromised executables onto systems. They're just files, after all, and lots of systems have ways of accepting arbitrary files (FTP servers, for example, often have anonymous dropboxes). The trick is to get somebody to execute them, and most people running Linux systems are a bit smarter than that. If the admins think a certain thing is harmless, and it isn't (in this case, ldd), it's an attack vector.

  • Re:Thorough research (Score:3, Informative)

    by Random Walk ( 252043 ) on Tuesday October 27, 2009 @05:21AM (#29881737)
    The Linux manpage (on Ubuntu 8.04) says ldd prints the shared libraries required by each program or shared library specified on the command line. Note that it doesn't mention anywhere that the program is executed, and doesn't contain any security warning. If there is no hint of the problem at the primary source of usage information, then the issue IS undocumented.

Slashdot Top Deals

What is research but a blind date with knowledge? -- Will Harvey

Close