Home / exploits Glibc ld-2.5.so security
Posted on 19 August 2013
<pre> ___ ___ / _ / _ __ __| (_) || | | | ___ / / \__. || | | | / __| > < / / | |_| || (__ /_/\_ /_/ \___/ \___| ------------------------------------------------------------------------ ld-2.5.so security x90c ------------------------------------------------------------------------ ----[ toc 1 - Intro 2 - detection 2.1 - glibc 2.5 rtld security machanisms 2.2 - attack techniques 2.3 - payload injection vectors 3 - conclusion 4 - reference 5 - greets ----[ 1 - Intro I researched about glibc 2.5 rtld dynamic linker security. this article detects all security mechanisms and attack techniques of the rtld. and we can use it for exploit and to get a new attack technique. ----[ 2 - security mechanism/attack technique detection ----[ 2.1 - glibc 2.5 rtld security mechanisms There are all security mechanisms(18) detected in glibc 2.5 rtld dynamic linker. We can use it for exploit dynamic linker or make an attack technique - --verify: shared object validation option - SYSINFO_DSO ( Visible/Invisible object ) - --audit: Auditing DSOs - stack checker's canary - pointer guard - preload - prelinked library validation ( mapped? / checksum / timestamp ) - __libc_enable_secure internal variable - /etc/suid-debug file - dl_main.c: link_map object free guard (link_map-> l_libname->dont_free) - lazy binding control: LD_BIND_NOT, LD_BIND_NOW environment - ELF PROT_* protection, PF_* mmap segment permission - symbol hash: dl_new_hash / DT_HASH. - debug/profiling: DEBUG_OUTPUT/PROFILE_OUTPUT enviroment - HWCAP_MASK environment (important hardware capabilities) - copy relocs (.conflict section) - debugging dynamic linker - rtld mode ----[ 2.2 - attack techniques There is glibc rtld related attck techniques(14) detected during 1997~2003. Firstly, rtld attack started at 1997 And the last article is 2003. We can use the techniques after reading phrack article. 1997 ----------------------------------------- - shared library redirection <1> ( LD_PRELOAD&LD_LIBRARY_PATH) ----------------------------------------- 1998 - openbsd TPE glibc preload protection <2> ----------------------------------------- 2000 - LD_BIND_NOW control <3> - ELF Infection - PLT Redirection - PLT Redirection in memory ----------------------------------------- 2001 ----------------------------------------- - ret-into-dl <4> - GOT overwrite ----------------------------------------- 2002 - plain asm code injection <5> - .so injection ----------------------------------------- 2003 - Backdooring in 4bytes <6> - ET_REL injection - ALTPLT - .strtab Midification <7> ----------------------------------------- * <1> halflife <2> daemon9 <3> Silvio <4> Nergal <5> anonymous author <6> mayhem <7> truff Much mentioned attack technique is (the order is more much): [1] LD_* preloads [2] LD_BIND_* Lazy Binding control [3] Malicious ELF [4] dynamic linker run-time code manipulation [5] glibc run-time code abuse ----[ 2.3 - payload injection vectors There is payload injection vectors(6) detected. You can try to discover rtld's security bug with passing your payload into them - ldconfig - libdl (library) - preloads - audit DSO - malicious elf - environ ----[ 3 - conclusion You perhaps hard to find a bug in the rtld of glibc itself. dynamic linker can't have a bit security bug because the archtecture reason in the modern os. but we can make many attck techniques with run-time or non-runtime(binary manipulation or environment manipulation) In summary ... 18 security mechanisms 14 attack techniques 6 payload injection vectors ... If you do research a dynamic linker. don't try to get a vulnerability than attack technique for the specific dynamic linker ----[ 4. reference [1] 01/09/1997 #51 Shared Library Redirection halflife. http://www.phrack.org/issues.html?issue=51&id=8&mode=txt [2] 25/12/1998 #54 Hardening OpenBSD for Multiuser Environments route. http://www.phrack.org/issues.html?issue=54&id=6&mode=txt [3] 01/05/2000 #56 Shared Library Redirection via ELF PLT Infection Silvio. http://www.phrack.org/issues.html?issue=56&id=7&mode=txt [4] 28/12/2001 #58 Advanced return-into-lib(c) exploits (PaX case study) nergal. http://www.phrack.org/issues.html?issue=58&id=4&mode=txt [5] #58 Armouring the ELF: Binary encryption on the UNIX platform grugq, scut@team-teso. http://www.phrack.org/issues.html?issue=58&id=5&mode=txt [6] 28/07/2002 #59 Runtime process infection anonymous author. http://www.phrack.org/issues.html?issue=59&id=8&mode=txt [7] 13/08/2003 #61 The Cerberus ELF interface mayhem. http://www.phrack.org/issues.html?issue=61&id=8&mode=txt [8] #61 Infection Loadable Kernel Modules truff. http://www.phrack.org/issues.html?issue=61&id=10&mode=txt [9] 01/08/2005 #63 Embedded ELF Debugging : the middle head of Cerberus Elfsh crew. http://www.phrack.org/issues.html?issue=63&id=9&mode=txt [10] 17/11/2010 #67 Scraps of notes on remote stack overflow exploitation pi3. http://www.phrack.org/issues.html?issue=67&id=13&mode=txt ----[ 5. greets #phrack@efnet #social@overthewire EOF </pre>
