2014-02-17 21:25 GMT+01:00 Theo de Raadt <dera...@cvs.openbsd.org>: >>2014-02-17 20:48 GMT+01:00 Miod Vallat <m...@online.fr>: >>>> Attacks with LD_PRELOAD are very old and can >>>> be performed on any OS where you have dynamic linking (Linux, *BSD >>>> etc.), so yes, OpenBSD is "vulnerable" to this type of stuff. >>> >>> You forgot to mention that the value of LD_PRELOAD is ignored for set*id >>> executables, in order to prevent these kind of games. >> >>thx, I wasn't sure of this, but it's good to hear that. >> >>http://www.openbsd.org/cgi-bin/cvsweb/src/libexec/ld.so/loader.c?rev=1.147;content-type=text%2Fplain >> >>from loader.c >> >>/* >>* Don't allow someone to change the search paths if he runs >>* a suid program without credentials high enough. >>*/ >>_dl_trust = !_dl_issetugid(); >>if (!_dl_trust) { /* Zap paths if s[ug]id... */ >>if (_dl_libpath) { >>_dl_free_path(_dl_libpath); >>_dl_libpath = NULL; >>_dl_unsetenv("LD_LIBRARY_PATH", envp); >>} >>if (_dl_preload) { >>_dl_preload = NULL; >>_dl_unsetenv("LD_PRELOAD", envp); >>} >> >>It actually should reduce the risk for set*id(), but this in the past >>related to CVE-2006-6164 (_dl_unsetenv())? >> >>Daniel > > Daniel, you are coming off like a KOOK. > > So basically, we are "vulnerable", even though the shared library linker > code has been doing this since before we switched over to using it, from > before a.out. > > Apparently the "magic quotes" around "vulnerable" are designed to make > it so that you can get away with lying. We are not vulnerable. You are > spreading misinformation. This is beyond misinforming, you are LYING.
Theo, thank you for the clarification. I think it's worth finish this and admitting you're right. Daniel
