GNU C dynamic linker privilege escalation updated since 24.10.2010
Published:		26.10.2010
Source:		BUGTRAQ
SecurityVulns ID:		11210
Type:		local
Level:		7/10
Description:		Invalid $ORIGIN processing allows to load user library into suid application.

Affected:		GNU : glibc 2.11
CVE:		CVE-2010-3856 (ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.)
		CVE-2010-3847 (elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.)

Original document		Tavis Ormandy, The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads. (26.10.2010)
		Tavis Ormandy, The GNU C library dynamic linker expands $ORIGIN in setuid library search path (24.10.2010)

Discuss:

Read or add your comments to this news (0 comments)