Subject: re: RelCache (aka ELF prebinding) news
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: matthew green <mrg@eterna.com.au>
List: tech-userlevel
Date: 12/04/2002 12:43:39
   > The sole purpose of this identifier is to ensure that ld.so does not
   > mistake one legitimate .so file for another.  Deliberate attempts to
   > generate hash collisions are beyond the scope; this is not a security
   > function, we simply want reasonable assurance that the prebinder will
   > not hand you the symbols for the wrong shared object file because
   > they happened to have the same unique identifier computed from their
   > contents and stamped into them.
   
   I must be missing something.  How is it not a security problem if you
   get the symbols that go with a .so file of the attacker's choice rather
   than the ones that go with the .so you wanted to use?  At the very
   least, it sounds like a trivial DoS to me, and probably worse
   (consider, for example, arranging to have strncpy resolve to strcpy's
   code)....


maybe i'm missing something... how does one actually perform this attack?


.mrg.