跑 ldd 有可能會執行裡面的程式碼

在 Daily Lobsters 上看到「ldd(1) and untrusted binaries」這篇，這次的重點在 ldd 的 manpage ldd(1) 裡提到可能會執行裡面的程式碼，所以不適合拿來處理 untrusted binary：

Be aware, however, that in some circumstances, some versions of ldd may attempt to obtain the dependency information by directly executing the program. Thus, you should never employ ldd on an untrusted executable, since this may result in the execution of arbitrary code.

另外在原文裡面的 comment 有人提到 macOS 上面沒有 ldd，而是用其他工具給出類似的資訊，看起來是避開了這種實作方式：

macOS and other Darwin-based systems, which use Mach-O rather than ELF, and have an 4.x/SVR4-inspired dynamic linking mechanism (not surprising, given that the person who did a lot of the work on the 4.x system left Sun to go to NeXT), but don’t have an “ldd” program. Instead, there’s “otool -L”, which produces output such as […]

而 FreeBSD 上的 ldd(1) manpage 上沒有提到安全問題，但從他的實作描述看起來也不太妙：

ldd lists the dependencies of an executable by setting rtld(1) environment variables and running the executable in a child process.

回到原來主題，Linux manpage 裡面提到的 objdump 跟 ldd 的功能還是差蠻多的啊？不知道合理的替代品到底是什麼…

Read More