Dynamic loader
Lub ntsiab lus ntawm qhov teeb meem: thaum lub sijhawm ua haujlwm, ld.so thawj zaug rho tawm tus nqi ntawm LD_LIBRARY_PATH hloov pauv los ntawm ib puag ncig thiab, siv _dl_split_path() muaj nuj nqi, hloov nws mus rau hauv array ntawm cov hlua - txoj hauv kev mus rau cov npe. Yog tias tom qab ntawd nws hloov tawm tias cov txheej txheem tam sim no tau pib los ntawm SUID / SGID daim ntawv thov, tom qab ntawd qhov tsim array thiab, qhov tseeb, qhov sib txawv ntawm LD_LIBRARY_PATH raug tshem tawm. Nyob rau tib lub sijhawm, yog _dl_split_path() khiav tawm ntawm lub cim xeeb (uas yog qhov nyuaj vim qhov tseeb 256 kB txwv ntawm qhov loj ntawm ib puag ncig hloov pauv, tab sis theoretically ua tau), ces qhov sib txawv _dl_libpath yuav tau txais tus nqi NULL, thiab tom qab kuaj xyuas ntawm tus nqi ntawm qhov sib txawv no yuav yuam kom hla kev hu mus rau _dl_unsetenv("LD_LIBRARY_PATH").
Vulnerability pom los ntawm cov kws txawj
Ntxiv: Qhov teeb meem tau muab tus lej
amd64 thiab i386 (qhov kev siv tau tuaj yeem hloov kho rau lwm cov qauv tsim).
Qhov teeb meem yog exploitable nyob rau hauv lub neej ntawd installation thiab tso cai rau ib tug unprivileged lub zos neeg siv los ua cov cai raws li hauv paus ntawm lub tsev qiv ntawv hloov chaw thaum khiav lub chpass los yog passwd suid utilities. Txhawm rau tsim cov kev nco qis uas tsim nyog rau kev ua haujlwm, teeb tsa RLIMIT_DATA txwv ntawm setrlimit.
Tau qhov twg los: opennet.ru