6.9 - VU#537223

Executive Summary

Summary
Title	GNU C library dynamic linker expands $ORIGIN in setuid library search path

Informations
Name	VU#537223	First vendor Publication	2010-10-25
Vendor	VU-CERT	Last vendor Modification	2010-10-26
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	6.9	Attack Range	Local
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	3.4	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#537223

GNU C library dynamic linker expands $ORIGIN in setuid library search path

Overview

Certain versions of glibc unsafely handle the $ORIGIN ELF substitution sequence which can be exploited to gain local privilege escalation.

I. Description

Tavis Ormandy's advisory states:

"$ORIGIN is an ELF substitution sequence representing the location of the executable being loaded in the filesystem hierarchy. The intention is to allow executables to specify a search path for libraries that is relative to their location, to simplify packaging without spamming the standard search paths with single-use libraries."
...
"$ORIGIN is only expanded if it is alone and first in the path. This makes little sense, and does not appear to be useful even if there were no security impact. This was most likely the result of an attempt to re-use the existing DT_NEEDED resolution infrastructure for LD_AUDIT support, accidentally introducing this error. Perhaps surprisingly, this error is exploitable."

Versions 2.12.1 on Fedora Core 13 and 2.5 on RHEL5 and CENTOS5 are known to be affected. Other versions and Linux distributions are probably affected but have not been confirmed at this time.

Full details are available in Tavis Ormandy's advisory.

II. Impact

A local unprivileged attacker can escalate their privileges to root.

III. Solution

Apply an update for the glibc packages from distribution vendors.

Vendor Information

Vendor	Status	Date Updated
CentOS	Affected	2010-10-25
Debian GNU/Linux	Affected	2010-10-26
Fedora Project	Affected	2010-10-25
Gentoo Linux	Unknown	2010-10-25
Mandriva S. A.	Affected	2010-10-26
Red Hat, Inc.	Affected	2010-10-25
Slackware Linux Inc.	Affected	2010-10-26
Ubuntu	Affected	2010-10-26

References

http://seclists.org/fulldisclosure/2010/Oct/257

Credit

Thanks to Tavis Ormandy for researching and publishing the details of this vulnerability.

This document was written by Jared Allar.

Other Information

Date Public:	2010-10-18
Date First Published:	2010-10-25
Date Last Updated:	2010-10-26
CERT Advisory:
CVE-ID(s):	CVE-2010-3847
NVD-ID(s):	CVE-2010-3847
US-CERT Technical Alerts:
Metric:	13.36
Document Revision:	16

Original Source

Url : http://www.kb.cert.org/vuls/id/537223

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-59	Improper Link Resolution Before File Access ('Link Following')

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:19821

Oval ID:	oval:org.mitre.oval:def:19821
Title:	VMware ESX third party updates for Service Console packages glibc, sudo, and openldap
Description:	elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2010-3847	Version:	4
Platform(s):	VMWare ESX Server 4.1 VMWare ESX Server 4.0	Product(s):
Definition Synopsis:
Patch ESX410-201101226-SG is not installed VMware ESX Server 4.1 is installed AND Patch ESX410-201101226-SG is not installed OR Patch ESX400-201101405-SG is not installed VMware ESX Server 4.0 is installed AND Patch ESX400-201101405-SG is not installed

Definition Id: oval:org.mitre.oval:def:22199

Oval ID:	oval:org.mitre.oval:def:22199
Title:	RHSA-2010:0787: glibc security update (Important)
Description:	elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
Family:	unix	Class:	patch
Reference(s):	RHSA-2010:0787-01 CESA-2010:0787 CVE-2010-3847	Version:	4
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5	Product(s):	glibc
Definition Synopsis:
Redhat 5 or Centos 5 release The operating system installed on the system is Red Hat Enterprise Linux 5 AND The operating system installed on the system is CentOS Linux 5.x Packages section glibc-headers is earlier than 0:2.5-49.el5_5.6 AND glibc-common is earlier than 0:2.5-49.el5_5.6 AND glibc-devel is earlier than 0:2.5-49.el5_5.6 AND glibc is earlier than 0:2.5-49.el5_5.6 AND nscd is earlier than 0:2.5-49.el5_5.6 AND glibc-utils is earlier than 0:2.5-49.el5_5.6

Definition Id: oval:org.mitre.oval:def:23012

Oval ID:	oval:org.mitre.oval:def:23012
Title:	ELSA-2010:0787: glibc security update (Important)
Description:	elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.
Family:	unix	Class:	patch
Reference(s):	ELSA-2010:0787-01 CVE-2010-3847	Version:	6
Platform(s):	Oracle Linux 5	Product(s):	glibc
Definition Synopsis:
Oracle Linux 5.x rpm test glibc-headers is earlier than 0:2.5-49.el5_5.6 AND glibc-common is earlier than 0:2.5-49.el5_5.6 AND glibc-devel is earlier than 0:2.5-49.el5_5.6 AND glibc is earlier than 0:2.5-49.el5_5.6 AND nscd is earlier than 0:2.5-49.el5_5.6 AND glibc-utils is earlier than 0:2.5-49.el5_5.6

Definition Id: oval:org.mitre.oval:def:27665

Oval ID:	oval:org.mitre.oval:def:27665
Title:	DEPRECATED: ELSA-2010-0787 -- glibc security update (important)
Description:	[2.5-49.el5_5.6] - Never expand in privileged programs (#643818, CVE-2010-3847)
Family:	unix	Class:	patch
Reference(s):	ELSA-2010-0787 CVE-2010-3847	Version:	4
Platform(s):	Oracle Linux 5	Product(s):	glibc
Definition Synopsis:
Oracle Linux 5.x Packages match section glibc is earlier than 0:2.5-49.el5_5.6 AND glibc-common is earlier than 0:2.5-49.el5_5.6 AND glibc-devel is earlier than 0:2.5-49.el5_5.6 AND glibc-headers is earlier than 0:2.5-49.el5_5.6 AND glibc-utils is earlier than 0:2.5-49.el5_5.6 AND nscd is earlier than 0:2.5-49.el5_5.6

CPE : Common Platform Enumeration

Type	Description	Count
Application	Gnu Glibc cpe:2.3:a:gnu:glibc:2.9:::::::* cpe:2.3:a:gnu:glibc:2.8:::::::* cpe:2.3:a:gnu:glibc:2.7:::::::* cpe:2.3:a:gnu:glibc:2.6.1:::::::* cpe:2.3:a:gnu:glibc:2.6:::::::* cpe:2.3:a:gnu:glibc:2.5.1:::::::* cpe:2.3:a:gnu:glibc:2.5-49.el5_5.6:::::::* cpe:2.3:a:gnu:glibc:2.5:::::::* cpe:2.3:a:gnu:glibc:2.4:::::::* cpe:2.3:a:gnu:glibc:2.3.6:::::::* cpe:2.3:a:gnu:glibc:2.3.5:::::::* cpe:2.3:a:gnu:glibc:2.3.4:::::::* cpe:2.3:a:gnu:glibc:2.3.3:::::::* cpe:2.3:a:gnu:glibc:2.3.2:::::::* cpe:2.3:a:gnu:glibc:2.3.10:::::::* cpe:2.3:a:gnu:glibc:2.3.1:::::::* cpe:2.3:a:gnu:glibc:2.3:::::::* cpe:2.3:a:gnu:glibc:2.2.5:::::::* cpe:2.3:a:gnu:glibc:2.2.4:::::::* cpe:2.3:a:gnu:glibc:2.2.3:::::::* cpe:2.3:a:gnu:glibc:2.2.2:::::::* cpe:2.3:a:gnu:glibc:2.2.1:::::::* cpe:2.3:a:gnu:glibc:2.2:::::::* cpe:2.3:a:gnu:glibc:2.12.1:::::::* cpe:2.3:a:gnu:glibc:2.12.0:::::::* cpe:2.3:a:gnu:glibc:2.11.2:::::::* cpe:2.3:a:gnu:glibc:2.11.1:::::::* cpe:2.3:a:gnu:glibc:2.11:::::::* cpe:2.3:a:gnu:glibc:2.10.2:::::::* cpe:2.3:a:gnu:glibc:2.10.1:::::::* cpe:2.3:a:gnu:glibc:2.10:::::::* cpe:2.3:a:gnu:glibc:2.1.9:::::::* cpe:2.3:a:gnu:glibc:2.1.3.10:::::::* cpe:2.3:a:gnu:glibc:2.1.3:::::::* cpe:2.3:a:gnu:glibc:2.1.2:::::::* cpe:2.3:a:gnu:glibc:2.1.1.6:::::::* cpe:2.3:a:gnu:glibc:2.1.1:::::::* cpe:2.3:a:gnu:glibc:2.1:::::::* cpe:2.3:a:gnu:glibc:2.0.6:::::::* cpe:2.3:a:gnu:glibc:2.0.5:::::::* cpe:2.3:a:gnu:glibc:2.0.4:::::::* cpe:2.3:a:gnu:glibc:2.0.3:::::::* cpe:2.3:a:gnu:glibc:2.0.2:::::::* cpe:2.3:a:gnu:glibc:2.0.1:::::::* cpe:2.3:a:gnu:glibc:2.0:::::::* cpe:2.3:a:gnu:glibc:1.09.5:::::::* cpe:2.3:a:gnu:glibc:1.09.3:::::::* cpe:2.3:a:gnu:glibc:1.09.2:::::::* cpe:2.3:a:gnu:glibc:1.09.1:::::::* cpe:2.3:a:gnu:glibc:1.09:::::::* cpe:2.3:a:gnu:glibc:1.08.9:::::::* cpe:2.3:a:gnu:glibc:1.08.8:::::::* cpe:2.3:a:gnu:glibc:1.08.7:::::::* cpe:2.3:a:gnu:glibc:1.08.6:::::::* cpe:2.3:a:gnu:glibc:1.08.5:::::::* cpe:2.3:a:gnu:glibc:1.08.4:::::::* cpe:2.3:a:gnu:glibc:1.08.3:::::::* cpe:2.3:a:gnu:glibc:1.08.14:::::::* cpe:2.3:a:gnu:glibc:1.08.13:::::::* cpe:2.3:a:gnu:glibc:1.08.12:::::::* cpe:2.3:a:gnu:glibc:1.08.11:::::::* cpe:2.3:a:gnu:glibc:1.08.10:::::::* cpe:2.3:a:gnu:glibc:1.08.1:::::::* cpe:2.3:a:gnu:glibc:1.08:::::::* cpe:2.3:a:gnu:glibc:1.07.6:::::::* cpe:2.3:a:gnu:glibc:1.07.5:::::::* cpe:2.3:a:gnu:glibc:1.07.4:::::::* cpe:2.3:a:gnu:glibc:1.07.3:::::::* cpe:2.3:a:gnu:glibc:1.07.2:::::::* cpe:2.3:a:gnu:glibc:1.07.1:::::::* cpe:2.3:a:gnu:glibc:1.07:::::::* cpe:2.3:a:gnu:glibc:1.06.9:::::::* cpe:2.3:a:gnu:glibc:1.06.8:::::::* cpe:2.3:a:gnu:glibc:1.06.7:::::::* cpe:2.3:a:gnu:glibc:1.06.6:::::::* cpe:2.3:a:gnu:glibc:1.06.4:::::::* cpe:2.3:a:gnu:glibc:1.06.3:::::::* cpe:2.3:a:gnu:glibc:1.06.2:::::::* cpe:2.3:a:gnu:glibc:1.06.13:::::::* cpe:2.3:a:gnu:glibc:1.06.12:::::::* cpe:2.3:a:gnu:glibc:1.06.11:::::::* cpe:2.3:a:gnu:glibc:1.06.10:::::::* cpe:2.3:a:gnu:glibc:1.06.1:::::::* cpe:2.3:a:gnu:glibc:1.06:::::::* cpe:2.3:a:gnu:glibc:1.05:::::::* cpe:2.3:a:gnu:glibc:1.04:::::::* cpe:2.3:a:gnu:glibc:1.03:::::::* cpe:2.3:a:gnu:glibc:1.02:::::::* cpe:2.3:a:gnu:glibc:1.01:::::::* cpe:2.3:a:gnu:glibc:1.00:::::::* cpe:2.3:a:gnu:glibc:0.6:::::::* cpe:2.3:a:gnu:glibc:0.5:::::::* cpe:2.3:a:gnu:glibc:0.4.1:::::::* cpe:2.3:a:gnu:glibc:0.4:::::::* cpe:2.3:a:gnu:glibc:0.1:::::::* cpe:2.3:a:gnu:glibc:::::::x64:* cpe:2.3:a:gnu:glibc:::::::x86:* cpe:2.3:a:gnu:glibc:::::::: cpe:2.3:a:gnu:glibc:-:::::::*	99

ExploitDB Exploits

id	Description
2010-10-22	GNU C library dynamic linker LD_AUDIT arbitrary DSO load Vulnerability
2010-10-18	GNU C library dynamic linker $ORIGIN expansion Vulnerability

OpenVAS Exploits

Date	Description
2012-07-30	Name : CentOS Update for glibc CESA-2011:0412 centos5 x86_64 File : nvt/gb_CESA-2011_0412_glibc_centos5_x86_64.nasl
2012-06-06	Name : RedHat Update for glibc RHSA-2011:0413-01 File : nvt/gb_RHSA-2011_0413-01_glibc.nasl
2011-11-28	Name : Mandriva Update for glibc MDVSA-2011:178 (glibc) File : nvt/gb_mandriva_MDVSA_2011_178.nasl
2011-08-09	Name : CentOS Update for glibc CESA-2010:0787 centos5 i386 File : nvt/gb_CESA-2010_0787_glibc_centos5_i386.nasl
2011-08-09	Name : CentOS Update for glibc CESA-2011:0412 centos5 i386 File : nvt/gb_CESA-2011_0412_glibc_centos5_i386.nasl
2011-04-06	Name : RedHat Update for glibc RHSA-2011:0412-01 File : nvt/gb_RHSA-2011_0412-01_glibc.nasl
2011-03-09	Name : Gentoo Security Advisory GLSA 201011-01 (glibc) File : nvt/glsa_201011_01.nasl
2011-03-07	Name : Debian Security Advisory DSA 2122-2 (glibc) File : nvt/deb_2122_2.nasl
2011-01-14	Name : Ubuntu Update for eglibc, glibc vulnerability USN-1009-2 File : nvt/gb_ubuntu_USN_1009_2.nasl
2010-12-02	Name : Fedora Update for glibc FEDORA-2010-16308 File : nvt/gb_fedora_2010_16308_glibc_fc14.nasl
2010-11-17	Name : Debian Security Advisory DSA 2122-1 (glibc) File : nvt/deb_2122_1.nasl
2010-11-16	Name : Fedora Update for glibc FEDORA-2010-16641 File : nvt/gb_fedora_2010_16641_glibc_fc12.nasl
2010-11-16	Name : SuSE Update for glibc SUSE-SA:2010:052 File : nvt/gb_suse_2010_052.nasl
2010-11-04	Name : Fedora Update for glibc FEDORA-2010-16655 File : nvt/gb_fedora_2010_16655_glibc_fc13.nasl
2010-10-26	Name : Fedora Update for glibc FEDORA-2010-16594 File : nvt/gb_fedora_2010_16594_glibc_fc13.nasl
2010-10-26	Name : Ubuntu Update for glibc, eglibc vulnerabilities USN-1009-1 File : nvt/gb_ubuntu_USN_1009_1.nasl
2010-10-22	Name : RedHat Update for glibc RHSA-2010:0787-01 File : nvt/gb_RHSA-2010_0787-01_glibc.nasl
2010-10-22	Name : Mandriva Update for glibc MDVSA-2010:207 (glibc) File : nvt/gb_mandriva_MDVSA_2010_207.nasl
0000-00-00	Name : Slackware Advisory SSA:2010-295-01 glibc File : nvt/esoft_slk_ssa_2010_295_01.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
68721	GNU C Library Dynamic Linker $ORIGIN Substitution Expansion Weakness Local Pr... The weakness is caused due to dynamic linker expanding the "$ORIGIN" substitution for privileged applications, which can be exploited to gain escalated privileges by e.g. hard linking to a setuid application and forcing the expansion of "$ORIGIN" via "LD_AUDIT".

Nessus® Vulnerability Scanner

Date	Description
2016-03-04	Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2011-0010_remote.nasl - Type : ACT_GATHER_INFO
2016-03-04	Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2011-0001_remote.nasl - Type : ACT_GATHER_INFO
2015-02-02	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2015-0023.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : suse_11_3_glibc-101027.nasl - Type : ACT_GATHER_INFO
2013-12-03	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201312-01.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0413.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0412.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0872.nasl - Type : ACT_GATHER_INFO
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2010-0787.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101020_glibc_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20101110_glibc_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110404_glibc_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2011-11-28	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-178.nasl - Type : ACT_GATHER_INFO
2011-04-15	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0412.nasl - Type : ACT_GATHER_INFO
2011-04-05	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0412.nasl - Type : ACT_GATHER_INFO
2011-04-05	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0413.nasl - Type : ACT_GATHER_INFO
2011-01-12	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1009-2.nasl - Type : ACT_GATHER_INFO
2011-01-06	Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2011-0001.nasl - Type : ACT_GATHER_INFO
2010-12-02	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_glibc-101025.nasl - Type : ACT_GATHER_INFO
2010-11-24	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2010-0787.nasl - Type : ACT_GATHER_INFO
2010-11-18	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0872.nasl - Type : ACT_GATHER_INFO
2010-11-16	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201011-01.nasl - Type : ACT_GATHER_INFO
2010-11-01	Name : The remote Fedora host is missing a security update. File : fedora_2010-16641.nasl - Type : ACT_GATHER_INFO
2010-10-28	Name : The remote openSUSE host is missing a security update. File : suse_11_1_glibc-101026.nasl - Type : ACT_GATHER_INFO
2010-10-28	Name : The remote openSUSE host is missing a security update. File : suse_11_2_glibc-101027.nasl - Type : ACT_GATHER_INFO
2010-10-28	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_glibc-7201.nasl - Type : ACT_GATHER_INFO
2010-10-24	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1009-1.nasl - Type : ACT_GATHER_INFO
2010-10-24	Name : The remote Fedora host is missing a security update. File : fedora_2010-16594.nasl - Type : ACT_GATHER_INFO
2010-10-24	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2122.nasl - Type : ACT_GATHER_INFO
2010-10-24	Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2010-295-01.nasl - Type : ACT_GATHER_INFO
2010-10-21	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0787.nasl - Type : ACT_GATHER_INFO
2010-10-21	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2010-207.nasl - Type : ACT_GATHER_INFO
2010-10-20	Name : The remote Fedora host is missing a security update. File : fedora_2010-16308.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2016-03-05 13:26:43	Multiple Updates

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	4
CPE ID(s)	99
osvdb(s)	1
ExploitDB Exploit(s)	2
Openvas Exploit(s)	19
Nessus® Exploit(s)	33

	Related
6.9	CVE-2010-3847
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)