[forcefsck]

The thing is that someone has to execute some code to change it, and if so then malicious code has already been run. By then it is irrelevant if LD_PRELOAD_PATH will be used or not. If I trick you into running 'rm -fR *', does that count as an exploit?

[praptak]

"The thing is that someone has to execute some code to change it, and if so then malicious code has already been run."

Wrong. You could have at least googled "LD_PRELOAD exploit" before writing this.

Setting LD_PRELOAD does not require running your own code. A real life exploit using LD_PRELOAD took advantage of a weakness in telnet server that let the connecting client export environment variables (yup, even before logging on - no local login required). Write access to a directory visible by telnetd was enough to plant own malicious *.so and then gain root access by exporting LD_PRELOAD via telnet.

[forcefsck]

So, again, the exploit was that a telnet session was exporting environment variables. LD_PRELOAD_PATH was just a way to take advantage of the telnetd exploit, which might not be the only way. I think that naming it "The LD_PRELOAD_PATH exploit" is just misguiding.

[praptak]

"So, again, the exploit was that a telnet session was exporting environment variables."

No, this was a feature. It had been safe in the days of static libraries, it became a problem when the LD_something family of variables was introduced. Besides, the telnet was just a single vector of introducing the LD_. Other examples concern local privilege escalation by calling suid apps:

http://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-secu...

https://www.kb.cert.org/vuls/id/686403

So there definitely exists a family of exploits that rely on bypassing the usual checks on LD_PRELOAD (and other similar variables) to inject malicious lib into protected code.

[forcefsck]

> No, this was a feature. It had been safe in the days of static libraries, it became a problem when the LD_something family of variables was introduced.

So? Still a bad design in the telnetd's part. If it wasn't LD_ variables it would have been something else eventually.

> So there definitely exists a family of exploits that rely on bypassing the usual checks on LD_PRELOAD (_and_other_similar_variables_)...

Yes, ofcourse, every issue of environment mishandling would lead the exploiter to utilize LD_PRELOAD, it's the easiest but not the only way. Even without LD_PRELOAD, those bugs would still be a liability for compromising security or normal operation of the system. And just like any part of any OS, ugly bugs will come up now or then.

But it is far too much to compare the casual use of LD_PRELOAD to the brain damaged/stupid handling of dynamically loading libraries Microsoft's Windows have. Actually, LD_PRELOAD is a needed feature (eg. for binary package distribution) that at least provides one layer of protection, it is the opposite of blindly loading any library found in non system folders.

[Kliment]

You're absolutely right. Once you've managed to change the preload path, all is lost anyway. Sorry for the confusion.