search menu icon-carat-right cmu-wordmark

CERT Coordination Center


ld.so fails to unset LD_PRELOAD before executing suid root programs

Vulnerability Note VU#686403

Original Release Date: 2001-05-17 | Last Revised: 2001-06-21

Overview

ld.so fails to unset LD_PRELOAD before executing suid root programs, allowing loading of insecure or malicious libraries.

Description

ld.so, the UNIX/LINUX dynamic loader, fails in some conditions (and some operating system releases) to unset LD_PRELOAD before loading suid root programs for execution. Even though setuid root programs ignore LD_PRELOAD, programs called from suid root programs would use LD_PRELOAD and be loaded with insecure or malicious libraries and executed as root.

Impact

By altering LD_PRELOAD, attackers could cause malicious libraries to be loaded by programs called from setuid root programs, which then could execute arbitrary code as root.

Solution

Apply vendor patches; see the Systems Affected section below.

Vendor Information

686403
Expand all

Caldera

Notified:  August 30, 2000 Updated:  May 15, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/caldera_advisory-657.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Vulnerable

Vendor Statement

Since FreeBSD does not use glibc (which is Linux-specific software) we are
not vulnerable to the unsetenv() bug.

However, FreeBSD does have some minor issues in its locale implementation.
These do not affect any program in the FreeBSD base system (i.e. they are
not exploitable locally or remotely on a FreeBSD system with no third
party software installed), and no such third party software (including
ports) are in fact known to be vulnerable. We recommend users obtain
FreeBSD Security Advisory 00:47 for more information including
instructions for detecting vulnerable binaries.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  August 30, 2000 Updated:  May 15, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/mandrake_advisory-667.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TurboLinux

Notified:  February 19, 2001 Updated:  May 15, 2001

Status

  Vulnerable

Vendor Statement

http://www.linuxsecurity.com/advisories/turbolinux_advisory-1158.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

We've determined that glibc is not used in Mac OS X, and we are therefore
not exposed to the problems identified within glibc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

(c) Copyright 2000 Compaq Computer Corporation. All rights reserved.

SOURCE: Compaq Computer Corporation
       Compaq Services
      Software Security Response Team USA


    The reported problems have not been found to affect the as shipped,
   Compaq Tru64/UNIX Operating Systems Software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

Regarding VU#686403 (ld.so fails to unset LD_PRELOAD before executing
suid root programs), the Fujitsu UXP/V operating system is not
vulnerable to this problem.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett Packard

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

HP-UX does not implement LD_PRELOAD.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

Received confirmation from our development team and we are NOT
vulnerable to the various scenarios described
.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

Vendor has reported no products having this vulnerability

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Not Vulnerable

Vendor Statement

SCO OpenServer Release 5 and UnixWare 7 systems are not
vulnerable to this exploit. The static and dynamic loaders
in SCO products do not use LD_PRELOAD
.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BSDI

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NCR

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NeXT

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Siemens Nixdorf

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  September 08, 2000 Updated:  May 15, 2001

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The original public announcement was by Solar Designer <solar@false.com>.

This document was last modified by Tim Shimeall

Other Information

CVE IDs: CVE-2000-0824
Severity Metric: 6.73
Date Public: 2000-08-31
Date First Published: 2001-05-17
Date Last Updated: 2001-06-21 19:29 UTC
Document Revision: 6

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.