Re: OpenBSD rootkits

Tue, 18 Feb 2014 09:10:25 -0800 

Hi Giancarlo,

Maybe I'm totally wrong here:


2014-02-17 20:20 GMT+01:00 Theo de Raadt <dera...@cvs.openbsd.org>:
>>2014-02-16 23:36 GMT+01:00 Frank Brodbeck <f...@guug.de>:
>>> I am not sure what point it is you are trying to make but:
>>>
>>> $ LD_PRELOAD=./id0 sh
>>> \u@\h:\w\n$ id -un
>>> root
>>> \u@\h:\w\n$ less /etc/master.passwd
>>> /etc/master.passwd: Permission denied
>>> \u@\h:\w\n$ ls -l /etc/master.passwd
>>> -rw-------  1 root  wheel  3984 Feb  5 22:44 /etc/master.passwd
>>> \u@\h:\w\n$
>>
>>again:
>>
>>---
>>Nothing (it's safe to self-test, so have fun). id (or whoami) think
>>that calls functions from libc, but it really calls functions that are
>>loaded by LD_PRELOAD. These fake functions return 0, so id (whoami)
>>think that you are root.
>>---
>>
>>This means that you don't have root access (or uid 0), but id (whoami)
>>think that you are root (uid 0). If you put something more dangerous
>>in a function such as readpassphrase(), you can e.g. capture the
>>passwords etc. This example shows that using LD_PRELOAD you can inject
>>your own code on OpenBSD.
>>
>>I hope that now it is more understandable.
>
> This is a complete joke; you are failing to explain it properly to
> people.
>
> The above is no different from copying the "id" binary to a new place,
> then hand-editing the binary to return 0 deep inside it, then running
> this new copy.  Whoohoo!  Terrible risk!  Modified code lied to me!
>
> There is no risk such as readpassphrase().  You are running the code
> you intend to, and noone has fooled anyone.


yes, it is not possible to pledge a trap for user using LD_PRELOAD.
hmm... definitely I'm wrong!

but I have another example:


--- cat fake.c ---

#define print(s) write(1, (s), sizeof(s) - 1)

int getuid() {
    return 32767;
}

int geteuid() {
    print("hello from fake geteuid()!\n");
    print("you're ");
    return 32767;
}

--- end cat ---

# shell (as normal user):

cc -shared fake.c -o fake
LD_PRELOAD=./fake ksh

and type: whoami

As you can see, this is not possible to inject any code in "whoami".
So we can sleep well. It doesn't work on OpenBSD ;]

Stay secure,
Daniel

Reply via email to