svn commit: r318313 - head/libexec/rtld-elf
Shawn Webb
shawn.webb at hardenedbsd.org
Mon May 15 19:13:20 UTC 2017
On Mon, May 15, 2017 at 01:08:55PM -0600, Ian Lepore wrote:
> On Mon, 2017-05-15 at 22:00 +0300, Konstantin Belousov wrote:
> > On Mon, May 15, 2017 at 06:52:36PM +0000, Alexey Dokuchaev wrote:
> > >
> > > On Mon, May 15, 2017 at 06:48:58PM +0000, Konstantin Belousov
> > > wrote:
> > > >
> > > > New Revision: 318313
> > > > URL: https://svnweb.freebsd.org/changeset/base/318313
> > > >
> > > > Log:
> > > > ? Make ld-elf.so.1 directly executable.
> > > Does it mean that old Linux' trick of /lib/ld-linux.so.2 /bin/chmod
> > > +x
> > > /bin/chmod would now be possible on FreeBSD as well?
> > Yes.
> >
> > >
> > > Does this have any security implications?
> > What do you mean ?
> >
>
> Well, for example, it seems like it would allow anyone to execute a
> binary even if the sysadmin had set it to -x specifically to prevent
> people from running it.
It additionally subverts application whitelisting schemes where all
dependent shared objects (even the rtld) are checked (such is the case
with Integriforce in HardenedBSD).
Since even the rtld is checked, an attacker can now bypass the
application whitelisting scheme by running: /libexec/ld-elf.so.1
/path/to/previously/disallowed/executable
Thanks,
--
Shawn Webb
Cofounder and Security Engineer
HardenedBSD
GPG Key ID: 0x6A84658F52456EEE
GPG Key Fingerprint: 2ABA B6BD EF6A F486 BE89 3D9E 6A84 658F 5245 6EEE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20170515/ab661335/attachment.sig>
More information about the svn-src-head
mailing list