Apache加载任意动态链接库执行代码漏洞

漏洞信息:[http://www.securityfocus.com/bid/53046/info](http://www.securityfocus.com/bid/53046/info)

如果设置了LD_LIBRARY_PATH变量,那么Apache运行的时候,加载动态库,就会从LD_LIBRARY_PATH指定的路径寻找:

export LD_LIBRARY_PATH=/tmp

运行:

strace apache2

...
open("/tmp/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=139786, ...}) = 0
....

可见加载libnss_compat.so.2是从/tmp下寻找的。攻击者可以自行完成一个带恶意代码的库,放入指定目录,导致可执行任意代码。