[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
From: Jim Paris <jim@xxxxxxxx>
Date: Fri, 20 Aug 2004 03:24:53 -0400

> Silvio Cesare discovered a potential information leak in glibc. It
> allows LD_DEBUG on SUID binaries where it should not be allowed. This
> has various security implications, which may be used to gain
> confidentional information.

It's worse than that.  You can essentially single-step through the
library calls of a binary by turning on verbose debugging through
LD_DEBUG and then carefully controlling stdout so that the program
blocks while writing the debugging output.  I've used this to exploit
race conditions in setuid binaries that would otherwise be nearly
impossible to trigger.

Gentoo's method of adding LD_DEBUG to UNSECURE_ENVVARS will prevent
this.

-jim

Follow-Ups:
- Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
  - From: Solar Designer

References:
- [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
  - From: Kurt Lieber

Prev by Date: What A Drag II XP SP2
Next by Date: Re: Third party cookie handling in Opera can lead to potential compromises in Servers relying on redirection
Previous by thread: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
Next by thread: Re: [ GLSA 200408-16 ] glibc: Information leak with LD_DEBUG
Index(es):
- Date
- Thread