-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Taken from IBM's AIX vendor response (http://lists.insecure.org/lists/bugtraq/2000/Mar/0184.html) to this issue when discussed in 2000: <BEGIN> The AIX version 4 linker has always documented the -blibpath option as a mechanism for removing build environment dependencies from a runtime environment. Applications that gain privilege should always use this option to remove library search paths that may not/should not exist on customer machines. The use of relative library paths is also highly discouraged. While they can be useful, the -blibpath option should also be used to not only avoid these types of security issues, but to remove the possibility of finding (or not finding at all) the wrong relative directory, since relative paths at runtime will be based upon the current working directory. These and any other AIX security vulnerabilities can be reported to security-alert@austin.ibm.com. </BEGIN> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+sWGWcnMXzUg7txIRAlPOAJ9MyLxzoesJAlE4z/rUTjUcBALV4gCfZjkW bgslNWzYOTobFpw2Knr0V/0= =+nIF -----END PGP SIGNATURE----- Shiva Persaud AIX Security Developer Damien Miller <djm@mindrot.org> To: BUGTRAQ@securityfocus.com, <openssh-unix-dev@mindrot.org>, <openssh-unix-announce@mindrot.org> 04/29/2003 10:39 cc: PM Subject: Portable OpenSSH: Dangerous AIX linker behavior (aixgcc.adv) 2. Description: The default behavior of the runtime linker on AIX is to search the current directory for dynamic libraries before searching system paths. This is done regardless of the executable's set[ug]id status. This behavior is insecure and extremely dangerous. It allows an attacker to locally escalate their privilege level through the use of replacement libraries. Portable OpenSSH includes configure logic to override this broken behavior, but only for the native compiler. gcc uses a different command-line option (without changing the dangerous default behavior).
