Quoting GOTO Masanori <[EMAIL PROTECTED]>: > How to allow pauses and single-stepping? Bugtraq does not say about > the latter things.
http://seclists.org/lists/bugtraq/2004/Aug/0281.html "You can essentially single-step through the library calls of a binary by turning on verbose debugging through LD_DEBUG and then carefully controlling stdout so that the program blocks while writing the debugging output. I've used this to exploit race conditions in setuid binaries that would otherwise be nearly impossible to trigger." -- Jim Paris You basically pipe the program to some other program that stops reading when you want to. I played around with this technique myself, without involving LD_DEBUG: $ perl -e 'while (1) { print scalar localtime, "\n"; }' | perl -e 'while (<>) { print; sleep 1; }' Sun Sep 26 12:11:08 2004 Sun Sep 26 12:11:08 2004 Sun Sep 26 12:11:08 2004 [..lots of copies of this line..] Sun Sep 26 12:11:08 2004 Sun Sep 26 12:11:08 2004 Sun Sep 26 12:11:08 2004 Sun Sep 26 12:13:52 2004 [..paused for two and a half minutes!..] Sun Sep 26 12:13:52 2004 Sun Sep 26 12:13:52 2004 Sun Sep 26 12:13:52 2004 [..lots of copies of this line..] Sun Sep 26 12:13:52 2004 Sun Sep 26 12:13:52 2004 Sun Sep 26 12:13:52 2004 Sun Sep 26 12:16:38 2004 [..paused for two and a half minutes!..] Sun Sep 26 12:16:38 2004 Sun Sep 26 12:16:38 2004 Sun Sep 26 12:16:38 2004 [..and so on..] As you can see, you can make a program pause for several minutes with this technique. I'm not quite sure where the buffering comes from, if it's Perl or what. I suppose I should try this in some other language. To sum up: LD_DEBUG prints lots of output, and that allows an attacker to perform timing critical security attacks (doing nasty things between operations like adding symlinks) by pausing a program at an arbitrary point. As suid/sgid programs are the most security critical, libc6 should ignore LD_DEBUG when running those. -- Ulf Harnhammar http://www.advogato.org/person/metaur/
