Subject: Re: RelCache (aka ELF prebinding) news
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: None <kpneal@pobox.com>
List: tech-userlevel
Date: 12/03/2002 20:31:33
On Tue, Dec 03, 2002 at 07:31:35PM -0500, Thor Lancelot Simon wrote:
> On Wed, Dec 04, 2002 at 12:52:22AM +0100, der Mouse wrote:
> > I must be missing something.  How is it not a security problem if you
> > get the symbols that go with a .so file of the attacker's choice rather
> > than the ones that go with the .so you wanted to use?  At the very
> > least, it sounds like a trivial DoS to me, and probably worse
> > (consider, for example, arranging to have strncpy resolve to strcpy's
> > code)....
> 
> Ding!  Now, here's a reason why the .so file's metadata *must* be used;
> at the very least, the file's owner and permissions, but really, you
> actually also need the dev/inum/generation triple that uniquely identifies
> a file in the filesystem to the kernel (at which point, I'm tempted to
> ask "why the checksum?" but I suppose it serves as a decent sanity 
> check).

So, um, how would an attacker get a rogue .so file picked up by the
runtime linker? 

What would prebinding change? If it is a security problem with prebinding
then is it not the exact same security problem as things currently
stand?
-- 
"A method for inducing cats to exercise consists of directing a beam of
invisible light produced by a hand-held laser apparatus onto the floor ...
in the vicinity of the cat, then moving the laser ... in an irregular way
fascinating to cats,..." -- US patent 5443036, "Method of exercising a cat"