Vulnerability Note VU#386504

glibc does not check SUID bit on libraries in /etc/ld.so.cache

Overview

The GNU libc library fails to perform a check for the SETUID bit for cached libraries in the /etc/ld.so.cache file. As a result, malicious users may create or modify privileged files.

I. Description

The GNU libc library allows preloading libraries via the LD_PRELOAD environment variable, provided the entries in the variable don't contain the / character. When running a SUID program, the library also checks to ensure the library being loaded is SUID. Unfortunately, this check is skipped if the library is already in the /etc/ld.so.cache file.

II. Impact

Malicious users may pre-load libraries into the cache file, and use those libraries to create or modify privileged files.

III. Solution

Apply patches available from your operating system vendor; see below.

Systems Affected

Vendor	Status	Date Notified
Caldera	Vulnerable	14-May-2001
Conectiva	Vulnerable	11-May-2001
Debian	Vulnerable	11-May-2001
Engarde	Vulnerable	15-May-2001
Immunix	Vulnerable	14-May-2001
MandrakeSoft	Vulnerable	14-May-2001
RedHat	Vulnerable	14-May-2001
SuSE	Vulnerable	14-May-2001
Trustix	Vulnerable	15-May-2001
TurboLinux	Vulnerable	15-May-2001

References

Credit

Our thanks to Red-Hat Security for identifying this problem.

This document was last modified by Tim Shimeall

Other Information

Date Public:	2001-01-18
Date First Published:	2001-05-14
Date Last Updated:	2001-06-20
CERT Advisory:
CVE-ID(s):	CAN-2001-0169
NVD-ID(s):	CAN-2001-0169
US-CERT Technical Alerts:
Severity Metric:	11.99
Document Revision:	14

If you have feedback, comments, or additional information about this vulnerability, please send us email.