Isilayishi esinamandla
Ingqikithi yenkinga: ngesikhathi sokusebenza, i-ld.so iqala ngokukhipha inani lokuhluka kwe-LD_LIBRARY_PATH kumvelo futhi, kusetshenziswa umsebenzi _dl_split_path(), iguqule ibe uchungechunge lweyunithi yezinhlamvu - izindlela eziya kunkomba. Uma kamuva kuvela ukuthi inqubo yamanje iqalwa uhlelo lokusebenza lwe-SUID/SGID, uhlu oludaliwe futhi, empeleni, okuguquguqukayo kwe-LD_LIBRARY_PATH kuyasulwa. Ngesikhathi esifanayo, uma _dl_split_path() iphelelwa inkumbulo (okunzima ngenxa yomkhawulo ocacile ongu-256 kB kusayizi wezinto eziguquguqukayo zemvelo, kodwa okunokwenzeka ngokombono), khona-ke okuguquguqukayo kwe-_dl_libpath kuzothola inani NULL, nokuhlola okulandelayo inani lalokhu okuguquguqukayo lizophoqa ukweqa ucingo luye ku-_dl_unsetenv("LD_LIBRARY_PATH").
Ukuba sengozini kutholwe ngochwepheshe
Ukwengeza: Inkinga inikezwe inombolo
amd64 kanye ne-i386 (i-exploit ingashintshwa kwezinye izakhiwo).
Inkinga iyasebenziseka ekufakweni okuzenzakalelayo futhi ivumela umsebenzisi wasendaweni ongenamalungelo ukuthi asebenzise ikhodi njengempande ngokushintshanisa umtapo lapho esebenzisa izinsiza ze-chpass noma ze-passwd suid. Ukuze udale izimo zenkumbulo ephansi ezidingekayo ukuze usebenze, setha umkhawulo we-RLIMIT_DATA usebenzisa i-setrlimit.
Source: opennet.ru