lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <OFB636B15F.F5160C9A-ON87256D19.006355C7@us.ibm.com>
Date: Thu, 1 May 2003 13:06:29 -0500
From: Shiva Persaud <shivapd@...ibm.com>
To: Damien Miller <djm@...drot.org>
Cc: BUGTRAQ@...urityfocus.com, openssh-unix-announce@...drot.org,
	openssh-unix-dev@...drot.org
Subject: Re: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)






-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Taken from IBM's AIX vendor response (http://lists.insecure.org/lists/bugtraq/2000/Mar/0184.html) to this issue when discussed in 2000:


<BEGIN>
The AIX version 4 linker has always documented the -blibpath option as a
mechanism for removing build environment dependencies from a runtime
environment. Applications that gain privilege should always use this
option to remove library search paths that may not/should not exist on
customer machines.


The use of relative library paths is also highly discouraged. While
they can be useful, the -blibpath option should also be used to not only
avoid these types of security issues, but to remove the possibility of
finding (or not finding at all) the wrong relative directory, since
relative paths at runtime will be based upon the current working
directory.


These and any other AIX security vulnerabilities can be reported to
security-alert@...tin.ibm.com.
</BEGIN>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)

iD8DBQE+sWGWcnMXzUg7txIRAlPOAJ9MyLxzoesJAlE4z/rUTjUcBALV4gCfZjkW
bgslNWzYOTobFpw2Knr0V/0=
=+nIF
-----END PGP SIGNATURE-----


Shiva Persaud
AIX Security Developer




                                                                                                                                       
                      Damien Miller                                                                                                    
                      <djm@...drot.org>        To:       BUGTRAQ@...urityfocus.com, <openssh-unix-dev@...drot.org>,                    
                                                <openssh-unix-announce@...drot.org>                                                    
                      04/29/2003 10:39         cc:                                                                                     
                      PM                       Subject:  Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv)                  
                                                                                                                                       
                                                                                                                                       





2. Description:

             The default behavior of the runtime linker on AIX is to search

             the current directory for dynamic libraries before searching
             system paths. This is done regardless of the executable's
             set[ug]id status.

             This behavior is insecure and extremely dangerous. It allows
an
             attacker to locally escalate their privilege level through the

             use of replacement libraries.

             Portable OpenSSH includes configure logic to override this
             broken behavior, but only for the native compiler. gcc uses a
             different command-line option (without changing the dangerous
             default behavior).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ