Remi GacogneJul 19, 2023

"Surprisingly, by chaining four common side effects of shared libraries from official distribution packages, we were able to transform this very limited primitive (the dlopen() and dlclose() of shared libraries from
/usr/lib*) into a reliable, one-shot remote code execution in ssh-agent (despite ASLR, PIE, and NX)."

Qualys continues to deliver, wow! #CVE-2023-38408

https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt

Show threadCassandrich
@rgacogne Wow, nice to see the research validating real-world instances of the reasons #musl dynamic linker never unloads libraries.
Jul 19, 2023 at 7:09pmWeb
Show threadLisPiJul 20, 2023
@dalias @rgacogne It's possible to do safely (in theory anyway), but the necessity of doing it at all (allowing such loading in the first place) here is really not obvious to me.
Show threadCassandrichJul 20, 2023
@lispi314 @rgacogne Only if the default were NODELETE and libraries that could safely be unloaded needed explicit marking as such.