Bugtraq mailing list archives
Re: KSR[T] Advisory #2: ld.so
From: proff () SUBURBIA NET (Julian Assange)
Date: Sat, 19 Jul 1997 00:07:59 +1000
Affected Program: ld.so / ld-linux.so Problem Description: ld.so is the run-time linker used by dynamically linked executables(a.out). Inside the error reporting function there is a call to vsprintf, which doesn't check the size of the string it is storing in an automatic buffer. The ELF version of run-time linker(ld-linux.so) is vulnerable to an almost identical stack overwrite.
I discovered this attack over a year ago, so let me fill you in. At that time the a.out ld.so was not vulnerable but ELF ld.so definately was. Trigging the overflow required a resource starvation attack on fd's, which was easily performed by setting system resource consumption limits for file descriptors to an appropriately low value. FreeBSD was not vulnerable to any ld.so attacks that I could observe. -- Prof. Julian Assange |If you want to build a ship, don't drum up people |together to collect wood and don't assign them tasks proff () iq org |and work, but rather teach them to long for the endless proff () gnu ai mit edu |immensity of the sea. -- Antoine de Saint Exupery
Current thread:
- Re: KSR[T] Advisory #2: ld.so Julian Assange (Jul 18)