[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: libltdl is inefficient and a security hazard
|
From: |
Bob Friesenhahn |
|
Subject: |
Re: libltdl is inefficient and a security hazard |
|
Date: |
Thu, 5 Nov 2009 17:41:30 -0600 (CST) |
|
User-agent: |
Alpine 2.01 (GSO 1266 2009-07-14) |
From OS-X Leopard manual page for dlopen():
When path doesn't contain a slash character (i.e. it is just a leaf
name), dlopen() searches the following the following until it finds
a compatible Mach-O file: $LD_LIBRARY_PATH, $DYLD_LIBRARY_PATH, cur-
rent working directory, $DYLD_FALLBACK_LIBRARY_PATH.
and this is why searching for bare "module.a" checks the current
directory.
Here is evidence that there is an easy exploit:
scrappy:~% ./ltdlopentest /Users/bfriesen/src/graphics/test-progs/mymodule.la
plugin opened successfully!
scrappy:~% ls -l mymodule.a
lrwxr-xr-x 1 bfriesen bfriesen 59 Nov 5 17:39 mymodule.a@ ->
/usr/local/lib/GraphicsMagick-1.4/modules-Q16/coders/sun.so
scrappy:~% ./ltdlopentest /Users/bfriesen/src/graphics/test-progs/mymodule.la
plugin opened successfully!
Bob
--
Bob Friesenhahn
address@hidden, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
- Re: libltdl is inefficient and a security hazard, Bob Friesenhahn, 2009/11/04
- Re: libltdl is inefficient and a security hazard, Bob Friesenhahn, 2009/11/05
- Re: libltdl is inefficient and a security hazard, Bob Friesenhahn, 2009/11/05
- Re: libltdl is inefficient and a security hazard, Peter O'Gorman, 2009/11/05
- Re: libltdl is inefficient and a security hazard, Bob Friesenhahn, 2009/11/05
- Re: libltdl is inefficient and a security hazard, Bob Friesenhahn, 2009/11/05
- Re: libltdl is inefficient and a security hazard,
Bob Friesenhahn <=
- Re: libltdl is inefficient and a security hazard, Peter O'Gorman, 2009/11/05
- Re: libltdl is inefficient and a security hazard, Bob Friesenhahn, 2009/11/05