Re: [PLUG] ELF Init section

Tim Peeler on Sat, 2 Jun 2001 00:30:04 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] ELF Init section

From: Tim Peeler <tim@iss.dccc.edu>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] ELF Init section

Date: Sat, 2 Jun 2001 00:14:19 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.3.18i

On Fri, Jun 01, 2001 at 03:01:16PM -0400, Greg Lopp wrote: > On Fri, Jun 01, 2001 at 02:11:37PM -0400, Tim Peeler wrote: > > If one were to use the init section of an elf header to execute > > arbritrary code (for example someone created a worm/virus that > > planted arbitrary code into the init section), would the init > > section be executed with the permissions of the user executing the > > code or would it be executed with the permissions of the loader? > > By no means an authoritative answer : > > Logic would dictate that the init section is executed with euid > permissions. If it were the other, there would really be no > security as gaining the loader's permission level would be > trivial. You wouldn't need a worm/virus to plant arbitrary code > in the init section of an elf executable, you could do it > yourself to your own hello_world.c program. > > But who would this loader be anyway? Wouldn't the loader just be > your shell process makeing an exec() system call? As part of executing the binary, it has to pass through the loader (ld.so) and it gets mangled and manipulated in ways that boggle my mind. The main thing the loader does is (as I understand it) is to load the program into memory, combine it with sections of libs as required so that the libs that it's dynamically linked with can do their jobs properly. As I understand it, the executable doesn't call upon the libs to do their work, the loader does. It's this loader that binds everything together and makes it work. From the ELF Portable Formats Specification, Version 1.1 Tool Interface Standards, Section 2. Program Loading and Dynamic Linking: Executable and shared object files statically represent programs. To execute such programs, the system uses the files to create dynamic program representations, or process images. A process image has segments that hold its text, data, stack and so on. The major sections in this part discuss the following. * Program header <snip>...</snip * Program loading. Given an object file, the system must load it into memory for the program to run * Dynamic linking. After the system loads the program, it must complete the process image by resolving symbolic references among the object files that compose the process. The important part I'm looking at is the dynamic linking. Earlier in the text of this document it mentioned the binary loader (ld.so). The text mentioned (it's getting hazy, although I have the document here I'm not going to go back through to try to find it) that the loader is the actual program that binds (my words) the binary and the libaries into the "process image" (the author's words). Really the thing I'm concerned with, is that if the init section of a binary is executed first, would that section be executed as the uid/euid of the user who invoked the program or would that section be executed as the uid/euid assigned to the loader (which is root). The problem that I see here, and the concern I have is that if the init section of a binary is executed as euid of the loader, the any elf system will be open to an init virus that can infect and spread itself through the use of the init section of the binaries header. This is all assuming a malicious coder decided to use the init section were it vulnerable to this type of exploit in the first place. Something else that just keeps gnawing at my brain, is what binary format do the various bsds use? Surely they would use elf right? In which case they would be as vulnerable to the same type of thing as linux (still assuming that the init section is executed as root not user). Furthur contemplation on the subject makes me less worried that the init section is executed as root as the authors of the ELF format and the creators of the loader should have surely seen this as an easy attack and have taken appropriate precautions. Perhaps this would be best to ask of the loaders maintaners. Tim ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

Re: [PLUG] ELF Init section
From: Bill Jonas <bill@billjonas.com>

References:

Re: [PLUG] ELF Init section
From: Greg Lopp <lopp@fuse.net>

Prev by Date: Re: [PLUG] User Accounts

Next by Date: Re: [PLUG] big complications with this months meeting

Previous by thread: Re: [PLUG] ELF Init section

Next by thread: Re: [PLUG] ELF Init section

Index(es):

Date

Thread