Caution advised when using the ldd system tool
Bugs in system utilities are not usually particularly interesting from a security point of view, but if the utility is regularly used to obtain information on suspect programs, it's a rather different story.
That's exactly what ldd, a system tool that resolves the dependencies of dynamic libraries and offers an insight into the workings of unknown programs, does. It's a standard tool for system administrators and forensic analysts. In his blog, Peteris Krumin discusses how ldd works under Linux – and how it can be exploited by the program under examination to execute arbitrary code.
The key is that ldd is only a shell script and actually calls the program which it wishes to analyse. In doing so it sets the LD_TRACE_LOADED_OBJECTS environment variable, which tells the loader that it should not run the program, but should merely display its dependencies. Krumins' trick is to get his own loader called, rather than the system loader. He's able to do this by using appropriate options when compiling the program. Since the loader has already been called, he's able to execute arbitrary code when someone examines the binary using ldd.
Krumins' blog post describes a scenario for catching out a system administrator with this trick by reporting an error message detailing a missing library. The administrator is likely to respond by running ldd to get a handle on the problem.
This isn't the first time that someone has come across this problem, since the issue has been previously described.