This article was contributed by John Richard Moser
Prelink (PDF) is a
popular tool used to decrease program load time, shortening system boot
time and making applications start faster. Developed by Jakob Jelinek at
Red Hat, prelink relocates libraries on disk to save dynamic linking time.
When the dynamic linker loads a dynamically linked ELF binary, it has to
also load and link all of the libraries before executing the program's
entry point, _main(). This process involves relocating
libraries—changing all addresses referenced in the library to reflect
the actual addresses in memory. Relocating libraries involves iterating
through each address in the library and replacing it with the real address
as determined by the library's location in the process's virtual address
space. Most relocations happen in the symbol table and PLT;
but in rare cases there are also .text relocations which require
fixed-position executable code to be patched in a slightly slower process.
The relocation process will slow down an application's launch.
In order to speed up the process, prelink relocates the libraries ahead of
time. This is done by scanning every
executable to be prelinked, generating a graph of libraries that will be
loaded at the same time as other libraries, and then calculating target
addresses for each library at such that it will never be loaded at the same address
as other libraries. These offsets are then stored in the shared object
files themselves, and the symbol tables and segment addresses are all
adjusted to reflect addresses based on the chosen base address.
Once prelink has done its job, the dynamic linker no longer has to concern
itself with relocation. Libraries are loaded at the address specified in
the library header and the symbol table is already correct. If anything
forces the library to be loaded at a different address, then the library is
relocated appropriately as usual; otherwise we can say goodbye to the
load-time overhead of relocating libraries.
Kernel facilities supplying address space layout randomization for
libraries cannot be used in conjunction with prelink; to do so would
require relocating the libraries, defeating the purpose of prelinking.
Address space randomization is a core feature of secure systems such as
OpenBSD, Adamantix, Hardened Gentoo, Fedora Core, and Red Hat Enterprise
Linux. It has appeared as part of PaX as well as part of Ingo Molnar's
Exec Shield, and has been accepted into the mainline kernel as
of 2.6.12 after submission by Arjan van de Ven.
The simple purpose of address space randomization is to make it more
difficult to perform certain classes of attacks by changing where
in memory important segments for the attack are loaded. If an attacker
wants to execute injected shell code or manipulate the program to execute
out of order, he obviously has to know where that code is. By shuffling
memory segments around, these attacks become quite difficult; the chances of
successful attack are mathematically described in the PaX documentation
and Wikipedia.
In an attempt to restore some of the benefits of address space
randomization, prelink is capable of randomly selecting
the addresses used for prelinking. This makes it more difficult to perform
certain attacks on a system, because the addresses used are unique to that
system. This approach is, however, less effective than per-process
randomization because the addresses stay constant until prelink is run
again.
There is another implication that has to be examined with prelink. To
understand this implication, let us first review a feature of prelink by
examining the load address of the C standard library in two processes: a
user-owned 'cat' and a root-owned 'bash'. The C standard library is
interesting because, in practice, virtually all return-to-libc
attacks utilize it exclusively.
Closely examining these quickly verifies that the address of glibc's
executable code is the same between these two processes; this is consistent
with the behavior of prelink. Because the library itself is relocated
ahead of time, there is a preference for the dynamic linker to load it at
that address. Examination of libc itself yields the below.
user@icebox:~$ readelf -S /lib/tls/i686/cmov/libc-2.3.6.so | head -n 6
There are 64 section headers, starting at offset 0x12d114:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .note.ABI-tag NOTE 4df2e154 000154 000020 00 A 0 0 4
Computing 4df2e154 - 154, the address and offset taken from any given
non-NULL segment, yields 4df2e000, the base address of libc. This makes
sense; prelink rewrites the segment and symbol addresses for the library
based on a specific load address, and the dynamic linker loads the library
at that address to avoid relocating it. Further, any program that links
with libc has to be able to read libc, and will thus be able to derive the
same information.
All of this means that any program on the system using any prelinked
library will be able to leak information about higher privileged tasks
using the same library. This allows any attacker able to gain any form of
local access—or more directly any ability to read libc—to gain
information about the address space layout of higher privileged processes,
including the load address of libc. As we know, this information is
extremely valuable to an attacker wanting to exploit a privileged process
without brute forcing library load addresses.
This vulnerability only applies to attackers with local access; but this is
not an unreasonable requirement. Many web hosting companies give local
shell access or allow PHP; either of these can be used to remotely fetch a
copy of libc. Due to the nature of the dynamic linker and sane security
design, the dynamic linker is exactly as privileged as the process it is
starting; therefor, even the most stringent mandatory access policies on
systems such as SELinux, grsecurity, or AppArmor cannot prevent this
attack.
Besides avoiding prelinking, there is one other way to prevent this information
leak from being exploited. All processes linked to a prelinked library
need access to the library file and load that library at the same address;
the point of exposure is the use of the same copy of the library. In order
to prevent information leaking, then, you must have separate copy of each
library common between any two programs you don't want to leak information
about each other. This can be done with Xen, chroot jails, UML, or simply
isolated machines, as long as the directory hierarchies are individually
prelinked with prelink randomization. Each system will have a different
set of addresses from every other system in this scheme. This of course
requires more hardware, more disk space, more management, more memory, and
more work.
The direct implications of this information leak depend on your exact
security concerns. A web hosting company, for example, may not want to run
prelink on its servers, given the risk of effectively losing
the benefit of address space randomization. A home desktop, on the other
hand, may only have to worry about a trojan using the information leak to
stage an attack on a system service such as cups or dbus—and should
probably worry about /proc/PID/maps first. While these are both
essentially the concern of an attacker with local access, the likelihood of
attack and the value of potential damages are different.
The prelink tool gives a useful decrease in program load time, and can help
users reach their desktop and the programs they need to run more quickly.
It does however have some unfortunate repercussions that must be examined,
especially in security-sensitive environments relying on address space
randomization.
Various unspecified security problems have been fixed in Acrobat Reader
version 7.0.8. Adobe does not provide detailed information about the
nature of the security problems. Therefore, it is necessary to assume that
remote code execution is possible.
The netfilter SCTP connection tracking code can crash when faced with a "packet without chunks." This vulnerability was fixed in the 2.6.17.3 kernel release.
The iax_net_read function in the iaxclient library fails to properly
handle IAX2 packets with truncated full frames or mini-frames. These
frames are detected in a length check but processed anyway, leading to
buffer overflows.
Several vulnerabilities have been discovered in OpenOffice.org, a free
office suite.
It turned out to be possible to embed arbitrary BASIC macros in
documents in a way that OpenOffice.org does not see them but executes them
anyway without any user interaction. (CVE-2006-2198)
It is possible to evade the Java sandbox with specially crafted Java
applets. (CVE-2006-2199)
Loading malformed XML documents can cause buffer overflows and cause a
denial of service or execute arbitrary code. (CVE-2006-3117)
Opera before version 9.0 has an integer overflow vulnerability due to the
improper handling of JPEG files. Also Opera did not reset the SSL security
bar after displaying a download dialog from an SSL-enabled website, which
could allow remote attackers to spoof a trusted SSL certificate from an
untrusted website and facilitate phishing attacks.
The Tikiwiki content management system has an SQL injection
vulnerability due to insufficient input sanitization.
An attacker may be able to execute arbitrary SQL statements
or inject arbitrary scripts into the user's browser.
The Asterisk PBX application has a buffer overflow vulnerability in the
IAX2 channel driver that can be used for the remote execution of
arbitrary code.
The GNU Binutils has a buffer overflow vulnerability in libbfd.
Maliciously crafted Tektronix Hex Format files with improper length
characters can cause a crash and possibly lead to the execution of
arbitrary code.
The BusyBox 1.1.1 passwd command does not use a proper salt when generating
passwords. This would create an instance where a brute force attack could
take very little time.
A race condition in bzip2 1.0.2 and earlier allows local users to modify
permissions of arbitrary files via a hard link attack on a file while it is
being decompressed, whose permissions are changed by bzip2 after the
decompression is complete. Also specially crafted bzip2 archives may cause
an infinite loop in the decompressor.
From the Debian-Testing alert: Mehdi Oudad "deepfear" and Kevin Fernandez "Siegfried" from the Zone-H
Research Team discovered a buffer overflow in kkstrtext.h of the ktools
library, which is included in (at least) centericq and motor.
A denial of service vulnerability has been found in the function for
encoding email addresses. Addresses containing a '=' before the '@'
character caused the Courier to hang in an endless loop, rendering the
service unusable.
Richard Harms discovered that cpio did not sufficiently validate file
properties when creating archives. Files with e. g. a very large size
caused a buffer overflow. By tricking a user or an automatic backup
system into putting a specially crafted file into a cpio archive, a
local attacker could probably exploit this to execute arbitrary code
with the privileges of the target user (which is likely root in an
automatic backup system).
The Vixie cron daemon does not check the return code from setuid(); if that call can be made to fail, a local attacker may be able to execute commands as root.
A buffer overflow in Cscope 15.5, and possibly multiple overflows, allows
remote attackers to execute arbitrary code via a C file with a long
#include line that is later browsed by the target.
Cyrus-SASL contains an unspecified vulnerability in the DIGEST-MD5
process that could lead to a Denial of Service. An attacker could possibly
exploit this vulnerability by sending specially crafted data stream to the
Cyrus-SASL server, resulting in a Denial of Service even if the attacker is
not able to authenticate.
A bug in EnergyMech fails to handle empty CTCP NOTICEs correctly, and
will cause a crash from a segmentation fault. By sending an empty CTCP
NOTICE, a remote attacker could exploit this vulnerability to cause a
denial of service.
The FreeType library has several integer overflow vulnerabilities.
If a user can be tricked into installing a specially
crafted font file, arbitrary code can be executed with the privilege
of the user.
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered an integer
overflow in the BFD library, resulting in a heap overflow. A review also
showed that by default, gdb insecurely sources initialization files from
the working directory. Successful exploitation would result in the
execution of arbitrary code on loading a specially crafted object file or
the execution of arbitrary commands.
A format string vulnerability has been discovered in gedit. Calling
the program with specially crafted file names caused a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the gedit user.
A vulnerability was discovered in GnuPG 1.4.3 and 1.9.20 (and earlier) that
could allow a remote attacker to cause gpg to crash and possibly overwrite
memory via a message packet with a large length.
zgrep in gzip before 1.3.5 does not handle shell metacharacters like '|'
and '&' properly when they occurred in input file names. This could be
exploited to execute arbitrary commands with user privileges if zgrep is
run in an untrusted directory with specially crafted file names.
Andreas Seltenreich has reported a possible heap overflow in the
array_push() function in hashcash.c, as a result of an incorrect amount
of allocated memory for the "ARRAY" structure.
The Horde3 web application framework does not perform sufficient
input sanitizing, allowing the possible injection of web
script code through a cross-site scripting attack.
The ImageMagick DisplayImageCommand has a heap overflow vulnerability.
If an maliciously created unexpanded glob is passed to ImageMagick,
a heap overflow can result.
The kdebase package (and kcheckpass in particular) found in KDE versions 3.2.0 through 3.4.2 suffers from a lock file handling error which can enable a local attacker to obtain root access. See this advisory for details.
The KDE Display Manager(KDM) is vulnerable to a local symlink attack.
A local user can use this to read arbitrary files that they do not
have permission to access. See this KDE
advisory for more information.
Kate / Kwrite, as shipped with KDE 3.2.x up to including 3.4.0, creates a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. See this advisory for more information.
Multiple vulnerabilities in the Linux have been found.
An error in the Stream Control Transmission Protocol (SCTP) code that
uses incorrect state table entries when certain ECNE chunks are received in
CLOSED state, could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
An error exist when handling incoming IP-fragmented SCTP control
chunks, which could be exploited by attackers to cause a kernel panic via a
specially crafted packet.
Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (infinite recursion and crash) via a packet that contains two or
more DATA fragments, which causes an skb pointer to refer back to itself
when the full message is reassembled, leading to infinite recursion in the
sctp_skb_pull function
Linux SCTP (lksctp) allows remote attackers to cause a denial of
service (deadlock) via a large number of small messages to a receiver
application that cannot process the messages quickly enough, which leads to
"spillover of the receive buffer."
A vulnerability has been identified due to an input validation error
when processing arguments containing backslash ("\\") characters passed to
certain commands (e.g. "cd"), which could be exploited by authenticated
attackers to escape chroot restrictions for a CIFS or SMBFS mounted
filesystem.
The 2.6.12 kernel has a remote memory corruption vulnerability
that can be remotely triggered by loading the ip_nat_snmp_basic
module and traffic is network-translated on port 161 or 162.
There is a race condition error in the "posix-cpu-timers.c" script that
does not prevent another CPU from attaching the timer to an exiting
process. This could be exploited by attackers to cause a denial of
service.
A flaw due to errors in "powerpc/kernel/signal_32.c" and
"powerpc/kernel/signal_32.c" could allow userspace to provoke a machine
check on 32-bit kernels.
An infinite loop in "netfilter/xt_sctp.c" could be exploited by attackers
to exhaust all available memory resources, creating a denial of service
condition.
Szymon Zygmunt and Michal Bartoszkiewicz discovered a memory alignment
error in libgadu (from ekg, console Gadu Gadu client, an instant
messaging program) which is included in gaim, a multi-protocol instant
messaging client, as well. This can not be exploited on the x86
architecture but on others, e.g. on Sparc and lead to a bus error,
in other words a denial of service.
Several buffer overflows were found in libmms. By tricking a user into
opening a specially crafted remote multimedia stream with an application
using libmms, a remote attacker could overwrite an arbitrary memory portion
with zeros, thereby crashing the program.
libpam-ldap, the PAM LDAP interface, has a vulnerability in which
it fails to authenticate with an LDAP server which is not configured
properly, allowing an authentication bypass.
A heap based buffer overflow bug was found in the way libpng strips alpha
channels from a PNG image. An attacker could create a carefully crafted PNG
image file in such a way that it could cause an application linked with
libpng to crash or execute arbitrary code when the file is opened by a
victim.
The t2p_write_pdf_string function in libtiff 3.8.2 and earlier is vulnerable
to a buffer overflow. Attackers can use a TIFF file with UTF-8 characters
in the DocumentName tag to overflow a buffer, causing a denial of service,
and possibly the execution of arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
An arbitrary command execute bug was found in the lynx "lynxcgi:" URI
handler. An attacker could create a web page redirecting to a malicious URL
which could execute arbitrary code as the user running lynx.
TAKAHASHI Tamotsu discovered that mutt's IMAP backend did not sufficiently
check the validity of namespace strings. If an user connects to a malicious
IMAP server, that server could exploit this to crash mutt or even execute
arbitrary code with the privileges of the mutt user. See this Secunia advisory for more
information.
Mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x before
5.1.6 allows remote authorized users to cause a denial of service (crash)
via a NULL second argument to the str_to_date function.
MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms
via SQL queries that contain the NULL character, which are not properly
handled by the mysql_real_query function. NOTE: this issue was originally
reported for the mysql_query function, but the vendor states that since
mysql_query expects a null character, this is not an issue for mysql_query.
Kurt Fitzner discovered that the NBD (network block device) server did not
correctly verify the maximum size of request packets. By sending specially
crafted large request packets, a remote attacker who is allowed to access
the server could exploit this to execute arbitrary code with root
privileges.
When starting xntpd with the -u option and specifying the
group by using a string not a numeric gid the daemon uses
the gid of the user not the group. This problem is now fixed
by this update.
The libUil component of the OpenMotif toolkit has a pair of buffer
overflow vulnerabilities that can possibly be used for the execution
of arbitrary code.
Ilja van Sprundel discovered that passwd, when called with the -f, -g,
or -s option, did not check the result of the setuid() call. On
systems that configure PAM limits for the maximum number of user
processes, a local attacker could exploit this to execute chfn,
gpasswd, or chsh with root privileges.
There are two vulnerabilities with perl when it is used in a setuid mode. The PERLIO_DEBUG environment variable can be used to overwrite arbitrary files; there is also an associated buffer overflow which can be exploited to gain root access.
The php wordwrap() function is vulnerable to an integer overflow.
Attackers can submit long arguments to cause a heap-based buffer
overflow, allowing arbitrary code execution.
PHP 5.x and PHP 4.4.2 have a problem with the substr_compare() function.
An attacker can use an out-of-bounds offset argument to cause a
memory access violation, causing a denial of service.
A bug in zend_hash_del() allowed attackers to prevent unsetting of some variables
It was discovered that phpbb2, a web based bulletin board, insufficiently
sanitizes values passed to the "Font Color 3" setting, which might lead to
the execution of injected code by admin users.
The phpbb2 web forum has a number of vulnerabilities including:
a web script injection problem, a protection mechanism bypass, a
security check bypass, a remote global variable bypass, cross site
scripting vulnerabilities, an SQL injection vulnerability,
a remote regular expression modification problem, missing input
sanitizing, and a missing request validation problem.
Stefan Esser reported multiple vulnerabilities
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8).
Pinball, a pinball game simulator, has a privilege escalation
vulnerability in which the application can be tricked into loading
level plugins from user-controlled directories without dropping
its privileges.
The PostgreSQL team has put out a set of "urgent updates" (in the form of the 7.3.15, 7.4.13, 8.0.8, and 8.1.4 releases) closing a
newly-discovered set of SQL injection issues. Details about the problem
can be found on the
technical information page; in short: multi-byte encodings can be used
to defeat normal string sanitizing techniques. The update fixes one problem
related to invalid multi-byte characters, but punts on another by simply
disallowing the old, unsafe technique of escaping single quotes with a
backslash.
Marcus Meissner discovered that the winbind plugin of pppd does not
check the result of the setuid() call. On systems that configure PAM
limits for the maximum number of user processes and enable the winbind
plugin, a local attacker could exploit this to execute the winbind
NTLM authentication helper as root. Depending on the local winbind
configuration, this could potentially lead to privilege escalation.
Py2Play uses Python pickles to send objects over a peer-to-peer game network, that clients accept without restriction the objects and code sent by peers. A remote attacker participating in a Py2Play-powered game can send
malicious Python pickles, resulting in the execution of arbitrary
Python code on the targeted game client.
Paul Jakma discovered that Quagga's ripd daemon did not properly
handle authentication of RIPv1 requests. If the RIPv1 protocol had
been disabled, or authentication for RIPv2 had been enabled, ripd
still replied to RIPv1 requests, which could lead to information
disclosure. (CVE-2006-2223)
Paul Jakma also noticed that ripd accepted unauthenticated RIPv1
response packets if RIPv2 was configured to require authentication and
both protocols were allowed. A remote attacker could exploit this to
inject arbitrary routes. (CVE-2006-2224)
Fredrik Widell discovered that Quagga did not properly handle certain
invalid 'sh ip bgp' commands. By sending special commands to Quagga, a
remote attacker with telnet access to the Quagga server could exploit
this to trigger an endless loop in the daemon (Denial of Service).
(CVE-2006-2276)
Luigi Auriemma discovered multiple flaws in the Scorched 3D game
server, including a format string vulnerability and several buffer
overflows. A remote attacker could exploit these vulnerabilities to crash
a game server or execute arbitrary code with the rights of the game server
user.
Sendmail has a vulnerability in the way it handles multi-part MIME messages.
A remote attacker can create a specially crafted email message that can
be used to crash the sendmail process, causing a denial of service.
The useradd tool from the shadow-utils package has a potential security
problem. When a new user's mailbox is created, the permissions are
set to random garbage from the stack, potentially allowing the
file to be read or written during the time before fchmod() is called.
A buffer overflow in UnZip 5.50 and earlier allows local users to execute
arbitrary code via a long filename command line argument. NOTE: since the
overflow occurs in a non-setuid program, there are not many scenarios under
which it poses a vulnerability, unless unzip is passed long arguments when
it is invoked from other programs.
xtensive testing of libwww's handling of multipart/byteranges content from
HTTP/1.1 servers revealed multiple logical flaws and bugs in
Library/src/HTBound.c
Federico L. Bossi Bonin discovered a buffer overflow in the HTTP input
module. By tricking an user into opening a malicious remote media
location, a remote attacker could exploit this to crash Xine library
frontends (like totem-xine, gxine, or xine-ui) and possibly even
execute arbitrary code with the user's privileges.
xine-lib does an improper input data boundary check on
MPEG streams. A specially crafted MPEG file can be
created that can cause arbitrary code execution when the
file is accessed.
Several format string vulnerabilities have been discovered in xine-ui,
the user interface of the xine video player, which may cause a denial
of service.
There is a buffer overflow in the Xrender extension of the X.Org server; any process which is able to connect to the server may be able to exploit this overflow to run arbitrary code. Since the X server runs as root on most systems, this vulnerability could be exploited to gain root access. See the X.Org advisory for more information.
A flaw was discovered in Xpdf in that could allow an attacker to construct
a carefully crafted PDF file that would cause Xpdf to consume all available
disk space in /tmp when opened.
xpdf has a number of integer overflows.
A remote attacker can trick a user into opening a maliciously
crafted pdf file, allowing the attacker to execute code with the
privileges of the local user.
This also affects the Poppler library, cupsys and tetex-bin.
