Details of the Problem
-
With all of these programs, the command to be executed in the new security context is stored as a string in memory.
-
This memory exists within the previous security context.
-
All applications in the previous security context have the ability to modify this memory.
-
Modification of the memory can be done easily by placing a trojan in execve(2) (or any of the libc execve(2) wrappers).
-
This trojan can be placed there with ptrace(2) or by using an uploaded shared object containing the trojan in conjunction with the LD_PRELOAD environment variable.