This is the mail archive of the
mailing list for the glibc project.
[PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- From: Alex Dowad <alexinbeijing at gmail dot com>
- To: libc-alpha at sourceware dot org
- Date: Sun, 9 Aug 2015 22:59:05 +0200
- Subject: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- Authentication-results: sourceware.org; auth=none
C programs which use uninitialized stack variables can be exploited if an attacker
can control the contents of memory where the buggy function's stack frame lands.
If the buggy function is called very early in the program's execution, that memory
might still hold values written by ld.so, so manipulation of ld.so is one way to
carry out such an exploit.
But how can an unprivileged user, running a set-UID program, cause ld.so to write
arbitrary data onto the stack? One way is to assign it to LD_DEBUG. When printing the
resulting warning message, ld.so uses alloca to create a buffer on the stack, and
copies the entire contents of LD_DEBUG into it (even if it is dozens of kilobytes long).
Of course, people shouldn't write programs which use uninitialized variables, but it
is easy enough to plug this hole if they do -- zero out the buffer after printing the
warning message. Call it the "pants and suspenders" approach.
Dear GLibc devs,
Does this look like something you might be interested in merging? I've never contributed
before, and haven't filled in any copyright attribution papers, but am happy to do so
I discovered this issue while playing through a hacking "wargame" where players must
develop exploits against programs with deliberately planted security vulnerabilities.
It helped me "beat" the game by achieving a privilege escalation.
elf/rtld.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/elf/rtld.c b/elf/rtld.c
index 6dcbabc..ee194a6 100644
@@ -2408,6 +2408,8 @@ process_dl_debug (const char *dl_debug)
char *copy = strndupa (dl_debug, len);
warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
+ /* Don't let an attacker inject arbitrary data into the stack area */
+ __builtin_memset(copy, 0, len);
dl_debug += len;