lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed Apr 13 01:37:36 2005
From: j.schipper at math.uu.nl (Joachim Schipper)
Subject: linux bugs (survival stories)?

> 'hello world' can bypass noexec 
> just remove the executable flags from the program headers
> the compiled binary don't even need to have executable permissions
> 
> #include <stdio.h>
> int main(int argc, char *argv[])   
> {       
>   printf("Hello world!\n");
>   return 0;
> }
> 
> 
> % sudo mount -o remount,noexec /tmp
> % wget http://pornadmin.net/~tongson/linux/helloworld.bin -O /tmp/helloworld.bin
> % /lib/ld-linux.so.2 /tmp/helloworld.bin
> Hello world!

This does not seem to work when ld-linux.so.2 is on a filesystem mounted
noexec, though [1]. Wouldn't this make it akin to calling /bin/bash
hello_world.sh?

PaX can stop you from mmap()ing a file and then executing the code
inside, IIRC, but since this breaks X11 it's uncommon to enable the
option.

		Joachim

[1] ./ld-linux.so.2 fails when called without arguments. Checked on
linux-2.6.11.7-grsec. ld-linux.so.2 was moved to a different disk before
the check was made, with and without chroot and strace. Where strace was
used, it showed that exec() failed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ