Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 24332 - privilege escalation using LD_PRELOAD with setuid binaries
Summary: privilege escalation using LD_PRELOAD with setuid binaries
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Security
Depends on:
Reported: 2003-07-12 05:46 UTC by Sascha Silbe
Modified: 2011-10-30 22:38 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sascha Silbe 2003-07-12 05:46:33 UTC
The dynamic loader used by Gentoo allows setuid binaries to preload libraries in standard system paths using LD_PRELOAD. Together with "insecure" libraries this allows a local user to gain root privileges.

I discovered this problem during software compilation using fakeroot. Suddenly files on the real filesystem where owned by root.root.
Soon I found out that this exploit was already known at Debian in 1998, but obviously has never been fixed upstream. See this thread:

The test described in shows that Gentoo is still vulnerable (which explains my "problems" using fakeroot):

=== Begin screenshot ===
sascha@cube:~$ LD_PRELOAD=funny /bin/su
/bin/su: error while loading shared libraries: funny: cannot open shared object file: No such file or directory
=== End screenshot ===

The patch can be found at "".

Please fix this ASAP in Gentoo and inform the upstream maintainers. Thanks!

Reproducible: Always
Steps to Reproduce:
1. LD_PRELOAD=funny /bin/su

Actual Results:  
/bin/su: error while loading shared libraries: funny: cannot open shared object file: No such file or directory

Expected Results:  

Portage 2.0.48-r1 (default-x86-1.4, gcc-3.2.2, glibc-2.3.1-r4)
System uname: 2.4.21-cube-2 i686 AMD Athlon(tm) processor
CONFIG_PROTECT="/etc /var/qmail/control /usr/kde/2/share/config /usr/kde/3/share/config /usr/vice/etc /usr/X11R6/lib/X11/xkb /usr/kde/3.1/share/config /usr/share/config"
CONFIG_PROTECT_MASK="/etc/afs/modload /etc/afs/C /etc/afs/afsws /etc/gconf /etc/env.d"
USE="x86 libg++ mad gtkhtml gdbm berkdb libwww gtk cdr -3dfx 3dnow -aalib acl afs -alsa apm -arts avi -bonobo crypt -cups dga -directfb doc -dvd encode -esd -evo -fbcon -ggi gif -gnome -gnome-libs -gphoto2 -gpm guile hbci -icc -icc-pgo imap imlib ipv6 -java jpeg kde kerberos lcms ldap -matrox maildir mbox mikmod mmx monitor -motif mozilla mpeg -mule mysql nas ncurses nls -odbc oggvorbis opengl oss pam -pcmcia -pda pdflib -perl png -pnp postgres python qt qtmt quicktime readline -ruby samba sasl sdl slang -slp -snmp socks5 spell ssl -static -svga -tcltk -tcpd tetex tiff truetype -voodoo3 X xml xml2 -xmms xv -zeo zlib"
CFLAGS="-march=athlon-tbird -O3 -pipe"
CXXFLAGS="-O2 -mcpu=i686 -pipe"
FEATURES="sandbox ccache"
Comment 1 SpanKY gentoo-dev 2003-07-12 15:30:36 UTC
yep, this is how ppl used to exploit sshd and telnetd in older versions 
Comment 2 solar (RETIRED) gentoo-dev 2003-08-15 11:47:13 UTC
I wrote a little preload module to try and confirm this and it does not seem to work. I dont think this is exploitable as the default behavior of glibc should drop the suid bit. 
Can anybody confirm this happens?
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2003-08-15 12:48:14 UTC
i cant reproduce, the manpage says "For setuid/setgid ELF binaries, only libraries in the standard search directories that are also setuid will be loaded."
Comment 4 solar (RETIRED) gentoo-dev 2003-09-22 09:54:33 UTC
Any objections to changing resolution as INVALID ?
Comment 5 Sascha Silbe 2003-09-25 14:31:48 UTC
Yes, I do object. My build process still creates files as root even though
it runs as a normal user.
I was not able to reproduce it on Hanno Boeck's Laptop, but as soon as I
find time I'll try to create a minimal installation in a UML showing the

For the time being, these are the exact versions I use:

The privileges of the user running the build process:
uid=1000(sascha) gid=100(users)

Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2003-09-25 18:19:19 UTC
Sascha, "Yes, I do object. My build process still creates files as root even
though it runs as a normal user."

Isnt this the point of fakeroot?

Take a look at this session i just made, for example:

taviso@insomniac:~$ cat test.c
#include <stdio.h>
int main(){
taviso@insomniac:~$ gcc -ansi -pedantic -o test test.c
taviso@insomniac:~$ ls -l test
-rwxr-xr-x    1 taviso   users        6771 2003-09-26 01:52 test*
taviso@insomniac:~$ ./test
taviso@insomniac:~$ cat preload.c
#include <stdio.h>
int geteuid(void) {
        return 2;
taviso@insomniac:~$ gcc -ansi -pedantic -shared -o preload.c
taviso@insomniac:~$ ls -l
-rwxr-xr-x    1 taviso   users        6668 2003-09-26 01:52*
taviso@insomniac:~$ LD_PRELOAD=./ ./test
taviso@insomniac:~$ sudo chmod u+s test ; sudo chown root test ; ls -l test
-rwsr-xr-x    1 root     users        6771 2003-09-26 01:52 test*
taviso@insomniac:~$ ./test
taviso@insomniac:~$ LD_PRELOAD=./ ./test

Take a look at this fakeroot session, isnt this what your experiencing?

taviso@insomniac:~$ whoami
taviso@insomniac:~$ fakeroot 'touch foobar; ls -l foobar'
-rw-r--r--    1 root     root            0 2003-09-26 01:57 foobar
taviso@insomniac:~$ ls -l foobar 
-rw-r--r--    1 taviso   users           0 2003-09-26 01:57 foobar

Within the fakeroot environment, it will look like files are owned by root,
but in reality they are owned by me.

here are some of the comments from the dynamic loader source code:

/* This is an extra security effort to make sure nobody can preload broken
shared objects which are in the trusted directories and so exploit the bugs.
/* ... */
Here the author stats() the preloaded library, if is _NOT_ Suid or he cant
test it (eg,stat() fails) This happens:
/* ... */
/* The shared object cannot be tested for being SUID or this bit is not set.
 In this case we must not use this object.  */
__close (fd);
fd = -1;
/* We simply ignore the file, signal this by setting the error value which
would have been set by `open'.  */
errno = ENOENT;
/* ... */
Here is some code from another part:
/* Make sure we don't use untrusted directories if we run SUID.  */
// Author runs some checks, then...
if (unsecure)
 /* Simply drop this directory.  */

There are lots more checks like this, im confident you are experiencing the
effects of the fakeroot application, which is specifically designed to fool
programs into thinking they are root, and can create files owned by root.

libraries cannot be preloaded for suid binaries, unless they are also suid
and in a trusted directory (which is by design).
Comment 7 Sascha Silbe 2003-09-26 03:32:57 UTC
The purpose of fakeroot (and the reason I use it) is to run the build process
as a normal user, but pretend to be root within the build environment. So
it cannot overwrite anything in the system, only in it's build environment.
But currently, some processes in the build environment get REAL root privileges,
not just pretended ones. They can overwrite files in the real system and
cannot be deleted by the user running the build process (!).

Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2003-09-27 13:37:03 UTC
Well, how about resolving WFM unless someone can produce an example script...
Comment 9 solar (RETIRED) gentoo-dev 2003-10-01 11:13:13 UTC
WFM sounds good. Any objections from anybody else?
Comment 10 Sascha Silbe 2003-10-02 11:59:39 UTC
Changing to WFM for now. Will report back later when I can reproduce the
problem on another system.