|
|
Subscribe / Log in / New account

Free software's not-so-eXZellent adventure

Free software's not-so-eXZellent adventure

Posted Apr 3, 2024 13:20 UTC (Wed) by farnz (subscriber, #17727)
In reply to: Free software's not-so-eXZellent adventure by tux3
Parent article: Free software's not-so-eXZellent adventure

It's not just IFUNCs, although they were used in this attack. It's also .init_table, .ctor and other ELF mechanisms intended to run code when an object is loaded.

There are two fundamental design decisions in ELF that were chained to get here:

  1. Imports of a symbol merely specify the symbol name, and not the library it comes from; I import (for example) EVP_DigestSignInit_ex@OPENSSL_3.0.0, not EVP_DigestSignInit_ex@OPENSSL_3.0.0 from libssl.so.3, let alone EVP_DigestSignInit_ex@OPENSSL_3.0.0 from /usr/lib/libssl.so.3. As a result, if liblzma.so.5 is listed as providing symbols needed to run this binary, it has to be loaded as soon as the binary attempts to use a symbol that's dynamically linked (such as memcpy) in order to determine if the symbol is provided by this library.
  2. Loading a library implicitly runs code from that library; this exists to make it easy to implement C++ static constructors ("dynamic initialization"), since it allows you to avoid all the fun around "first use of any function or object defined in the same translation unit as the object to be initialized", and instead just do all the dynamic initialization before main, as well as for multi-ABI support (which is what IFUNCs provide).

The first is, I suspect, where a lot of developer confusion comes from (and it's worth noting that Mach-O as used on iOS and macOS has imports specify both a symbol and an expected origin, allowing Darwin's dynamic linker to delay loading a library until an import indicates that it's expecting a symbol to be found in that library).

The second is useful to attackers in general, since it means that if they can get you to load their library (e.g. by dynamically linking against it), they can run their attack code; restricting it would mean that attackers would have to not only get you to load their library, but also to use at least one symbol from their library in order to get code execution.

to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds