Subject: re: RelCache (aka ELF prebinding) news
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: matthew green <mrg@eterna.com.au>
List: tech-userlevel
Date: 12/04/2002 12:43:39
> The sole purpose of this identifier is to ensure that ld.so does not
> mistake one legitimate .so file for another. Deliberate attempts to
> generate hash collisions are beyond the scope; this is not a security
> function, we simply want reasonable assurance that the prebinder will
> not hand you the symbols for the wrong shared object file because
> they happened to have the same unique identifier computed from their
> contents and stamped into them.
I must be missing something. How is it not a security problem if you
get the symbols that go with a .so file of the attacker's choice rather
than the ones that go with the .so you wanted to use? At the very
least, it sounds like a trivial DoS to me, and probably worse
(consider, for example, arranging to have strncpy resolve to strcpy's
code)....
maybe i'm missing something... how does one actually perform this attack?
.mrg.