Compromising analysis tools

When reverse engineering a program, the analyst would not execute that program from a work account on a valid machine. The potential for abuse by a malicious program is obvious. However, the probability that the analyst will use a work account for statically analysing the program is much higher.

An exploit for the file command was publicly released in March 2003, which allowed a specially crafted executable to execute arbitrary commands. This is referred to in Mitre's CVE dictionary: CAN-2003-0102.

Standard practise for reverse engineering a program in the UNIX environment is to first execute the file, ldd and strings commands on the target program.

A vulnerability in the file command was discussed earlier. What about the ldd command?

The ldd command shows the shared libraries required by a program:

$ ldd /bin/ls => /lib/ (0x4001d000) => /lib/ (0x4002e000) => /lib/ (0x40149000)
       /lib/ => /lib/ (0x40000000)

Under glibc 2.2.x and 2.3.x (other environments untested), ldd is implemented by executing the program which the LD_TRACE_LOADED_OBJECTS environment variable set:

$ LD_TRACE_LOADED_OBJECTS=1 /bin/ls => /lib/ (0x4001d000) => /lib/ (0x4002e000) => /lib/ (0x40149000)
       /lib/ => /lib/ (0x40000000)

When the glibc program interpreter is invoked to execute a shared library executable, if the LD_TRACE_LOADED_OBJECTS environment variable is set the interpreter resolves required shared libraries and outputs them to stdout then exits. The program is not executed.

This is how the glibc program interpreter works. What about others? Let's do a comparison with glibc and uclibc:

$ echo 'main() { printf("hello world\n"); }' > hello.c

First glibc:

$ gcc hello.c -o gcc_hello
$ ldd ./gcc_hello => /lib/ (0x4001d000)
        /lib/ => /lib/ (0x40000000)

And now uclibc:

$ i386-uclibc-gcc hello.c -o uclibc_hello
$ ldd ./uclibc_hello 
hello world

Well that wasn't what we expected. We expected to find out the shared library dependencies and instead the program executed. How would a malicious program take advantage of this?

$ cat nasty.c
int main()
   if (getenv("LD_TRACE_LOADED_OBJECTS") != 0) {
      /* we are being executed under ldd */
      printf("doing funny stuff\n");
      printf("\ => /lib/ (0x4001d000)\n");
      printf("\t/lib/ => /lib/ (0x40000000)\n");
      return 0;

   printf("normally program execution\n");
   return 0;

$ i386-uclibc-gcc nasty.c -o nasty
$ ldd ./nasty
doing funny stuff => /lib/ (0x4001d000)
        /lib/ => /lib/ (0x40000000)

The moral of the story? Analysts should do all analysis (yes, this includes static analysis) under an protected / isolated account or machine.

Corollary: should does not imply will.