Apache 加载任意动态链接库执行代码漏洞

漏洞信息:[http://www.securityfocus.com/bid/53046/info](http://www.securityfocus.com/bid/53046/info)

如果设置了 LD_LIBRARY_PATH 变量,Apache 启动时会优先从 LD_LIBRARY_PATH 指定的路径寻找动态库加载:

export LD_LIBRARY_PATH=/tmp

运行:

$ strace apache2

...
open("/tmp/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=139786, ...}) = 0
....

如上,加载 libnss_compat.so.2 先从 /tmp 下寻找。攻击者可以自行完成一个带恶意代码的库,放入指定目录,导致可执行任意代码。