Wireshark-bugs: [Wireshark-bugs] [Bug 5133] Wireshark vulnerable to DLL hijacking

Date: Tue, 24 Aug 2010 13:34:53 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5133

Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jeff.morriss.ws@xxxxxxxxx

--- Comment #4 from Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> 2010-08-24 13:34:52 PDT ---
(In reply to comment #1)
> Should this be platform All/All?  The paper at
> 
>     http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
> 
> notes that UN*Xes are vulnerable to this as well.

I didn't read the whole paper yet, but I thought modern library loaded
consisted of searching:

1) directories we told the loader to search when we compile it (with "-R" on
Solaris and "-Wl,-rpath" on Linux, don't know about others)
2) directories the sysadmin set up (at least on Linux, with /etc/ld.so.conf)
3) directories the user specified with LD_LIBRARY_PATH (and other similar
variables)

It seems that the Trickle vulnerability had to do with some funny LD_PRELOAD
stuff where they were explicitly looking for the library in the pwd:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513456


Just doing a quick test (with an installed Wireshark):

% strace -f -o strace.out /usr/sbin/wireshark
% egrep 'open.*lib' strace.out | grep -v "open.\"/usr" | grep -v "open.\"/lib"

yielded no attempts by Wireshark to read a library from anywhere other than
"safe" places.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.