search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

GNU C library dynamic linker expands $ORIGIN in setuid library search path

Vulnerability Note VU#537223

Original Release Date: 2010-10-25 | Last Revised: 2010-10-26

Overview

Certain versions of glibc unsafely handle the $ORIGIN ELF substitution sequence which can be exploited to gain local privilege escalation.

Description

Tavis Ormandy's advisory states:

"$ORIGIN is an ELF substitution sequence representing the location of the executable being loaded in the filesystem hierarchy. The intention is to allow executables to specify a search path for libraries that is relative to their location, to simplify packaging without spamming the standard search paths with single-use libraries."
...
"$ORIGIN is only expanded if it is alone and first in the path. This makes little sense, and does not appear to be useful even if there were no security impact. This was most likely the result of an attempt to re-use the existing DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally introducing this error. Perhaps surprisingly, this error is exploitable."

Versions 2.12.1 on Fedora Core 13 and 2.5 on RHEL5 and CENTOS5 are known to be affected. Other versions and Linux distributions are probably affected but have not been confirmed at this time.

Full details are available in Tavis Ormandy's advisory.

Impact

A local unprivileged attacker can escalate their privileges to root.

Solution

Apply an update for the glibc packages from distribution vendors.

Vendor Information

537223
 
Expand all

CentOS Affected

Updated:  October 25, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Affected

Updated:  October 26, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Affected

Updated:  October 25, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Affected

Updated:  October 26, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Updated:  October 25, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Slackware Linux Inc. Affected

Updated:  October 26, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Affected

Updated:  October 26, 2010

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Updated:  October 25, 2010

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://seclists.org/fulldisclosure/2010/Oct/257

Acknowledgements

Thanks to Tavis Ormandy for researching and publishing the details of this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2010-3847
Severity Metric: 13.36
Date Public: 2010-10-18
Date First Published: 2010-10-25
Date Last Updated: 2010-10-26 11:35 UTC
Document Revision: 17

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis