[Full-disclosure] linux bugs (survival stories)?
Joachim Schipper
j.schipper at math.uu.nl
Tue Apr 12 23:44:12 BST 2005
> 'hello world' can bypass noexec
> just remove the executable flags from the program headers
> the compiled binary don't even need to have executable permissions
>
> #include <stdio.h>
> int main(int argc, char *argv[])
> {
> printf("Hello world!\n");
> return 0;
> }
>
>
> % sudo mount -o remount,noexec /tmp
> % wget http://pornadmin.net/~tongson/linux/helloworld.bin -O /tmp/helloworld.bin
> % /lib/ld-linux.so.2 /tmp/helloworld.bin
> Hello world!
This does not seem to work when ld-linux.so.2 is on a filesystem mounted
noexec, though [1]. Wouldn't this make it akin to calling /bin/bash
hello_world.sh?
PaX can stop you from mmap()ing a file and then executing the code
inside, IIRC, but since this breaks X11 it's uncommon to enable the
option.
Joachim
[1] ./ld-linux.so.2 fails when called without arguments. Checked on
linux-2.6.11.7-grsec. ld-linux.so.2 was moved to a different disk before
the check was made, with and without chroot and strace. Where strace was
used, it showed that exec() failed.
Full-Disclosure is hosted and sponsored by Secunia.