[Retr0id]

LD_PRELOAD "works as designed" but people who don't know about it often make false assumptions, leading to exploitable bugs.

One such assumption is "if /bin/foo is a trustworthy executable then any process with /proc/pid/exe pointing to /bin/foo is trustworthy"

[nathan_naveen]

Exactly, that is our thought process!

We know that this isn't anything revolutionary, but most people assume that this kind of thing can't happen, so we wrote a blog post about it.

[bpt3]

Please describe the scenario where someone needs to make the assumption you described and it is reasonable to expect that they are unaware that symbolic links could be changed by a third party library?

[Retr0id]

I know one example off the top of my head, but it's part of an exploit chain I haven't got around to reporting yet ;)

What's the relevance of symlinks here?

[bpt3]

Maybe I misunderstood your argument, but /proc/[pid]/exe is a symlink in Linux 2.2 and later (so virtually all running instances of Linux today).

That said, your example doesn't make much sense to me. I'd be willing to bet a lot of money that the authors of the exploit chain you mentioned are aware of LD_PRELOAD and /etc/ld.so.conf.