>2014-02-16 23:36 GMT+01:00 Frank Brodbeck <[email protected]>: >> I am not sure what point it is you are trying to make but: >> >> $ LD_PRELOAD=./id0 sh >> \u@\h:\w\n$ id -un >> root >> \u@\h:\w\n$ less /etc/master.passwd >> /etc/master.passwd: Permission denied >> \u@\h:\w\n$ ls -l /etc/master.passwd >> -rw------- 1 root wheel 3984 Feb 5 22:44 /etc/master.passwd >> \u@\h:\w\n$ > >again: > >--- >Nothing (it's safe to self-test, so have fun). id (or whoami) think >that calls functions from libc, but it really calls functions that are >loaded by LD_PRELOAD. These fake functions return 0, so id (whoami) >think that you are root. >--- > >This means that you don't have root access (or uid 0), but id (whoami) >think that you are root (uid 0). If you put something more dangerous >in a function such as readpassphrase(), you can e.g. capture the >passwords etc. This example shows that using LD_PRELOAD you can inject >your own code on OpenBSD. > >I hope that now it is more understandable.
This is a complete joke; you are failing to explain it properly to people. The above is no different from copying the "id" binary to a new place, then hand-editing the binary to return 0 deep inside it, then running this new copy. Whoohoo! Terrible risk! Modified code lied to me! There is no risk such as readpassphrase(). You are running the code you intend to, and noone has fooled anyone.
