Breaking the links: Exploiting the linker
--nextPart11100037.BaKakUUkB1
Content-Type: Text/Plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I've recently been working on a paper on Linux and POSIX linkers, the most=
=20
recent release of which can be found at:
* http://www.nth-dimension.org.uk/downloads.php?id=3D77
I'm particularly interested in feedback on references or threats that I may=
=20
have missed. As per the abstract, the aim of the paper wasn't to claim=20
everything as my own but rather to document as much as possible about commo=
n=20
flaws and how to identify them.
Whilst working on the paper I came across a number of interesting bugs (som=
e=20
exploitable, others sadly not). The paper itself touches on the circumstan=
ces=20
around CVE-2011-1126 but two other bugs also mentioned in the paper (one of=
=20
which I released the advisory NDSA20110310 for) are potentially more useful=
so=20
I've written PoC to exploit them:
1) http://www.nth-dimension.org.uk/downloads.php?id=3D83 - Privesc attack =
using=20
DB2 from normal user to root, the PoC is for Linux but based on testing the=
=20
AIX version looks iffy too although I couldn't get gcc to generate a valid=
=20
library to exploit it.
2) http://www.nth-dimension.org.uk/downloads.php?id=3D80 - Generic attack o=
n the=20
QNX runtime linker which abuses an arbitrary file overwrite and race condit=
ion=20
to get root.
The paper is still a work in progress but both DB2 and QNX are available fo=
r=20
download if you want to take them for a spin. Anyway, enjoy!
Tim
=2D-=20
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
--nextPart11100037.BaKakUUkB1
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAABCAAGBQJOC5DeAAoJEPJhpTVyySo7NzUP/0a7mkR9LbnYE78UoohX+tY7
SFCElqfe5Qtx6tLnHBNLiAqCZ4BraB8HBF2/b6MEnz+j2K6CBR+bW/alw1vWjL01
U4q0fRwJMDqKyiHWjBLTKy+BaIV72pj6hoJwf4ASS7IIagqACJOrZbAxgSIXJyEM
ujBampjH0QVL/N+epkEendwYHXrrE7azT8Bhm5+S6X7r6KQln57svaL8Zn38+Ana
FN5gYyjnZ4Sjcm5NR3uVg9DqQJ3ORo4/iUEDumSkc4AN/x152OY933YmBsalME5v
lsYT2ziN3dMTBYbvMLGESHxRIrVdsvHa6DoRXNAEIBCg7MMgsmSlsXjp9jjYKwmM
aCAGrGeE+p+ismR0pGdKP4YfPcIBKMK+zAiT9pCzuOcASLL+rI0hIg/+DQKutvjQ
qYPCUGx377JGvMhN0EsGrSDlaMgcBmAK2MZJtg3jtpt1zJ5JZag3b2MhGMjdFiS5
acoPIjZoaWCE7HntmSq1yJp4FByi9n1wzE/GcchlHykpi6i/lNWC2b5IYNZREf8z
8hnBIu20bb4IDJfj4i6mIzgF3xF0Nd5sw00BN8KURIniD05KJjA9RvgYktdVEYrK
juyvI6x8AZC5YB9eoVuyRELnDMl/XgSZOFaFn2TBMEgGH/3jqX0SGMj9mmA2onau
e4di2SQ+xl+34jcmXxas
=Z8sx
-----END PGP SIGNATURE-----
--nextPart11100037.BaKakUUkB1--