Search
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Subscribe











Security Vulnerability

Vigil@nce: GNU Libtool, code execution

December 2009 by Vigil@nce

In some cases, GNU Libtool loads a static library located in the current directory.

Severity: 2/4

Consequences: user access/rights

Provenance: user shell

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 22/12/2009

IMPACTED PRODUCTS

- Fedora
- Mandriva Corporate
- Mandriva Enterprise Server
- Mandriva Linux
- Mandriva Multi Network Firewall
- Red Hat Enterprise Linux
- Unix - plateform

DESCRIPTION OF THE VULNERABILITY

Dynamic libraries are loaded by dlopen().

The ltdl (Libtool Dynamic Module Loader) is provided by GNU Libtool to load libraries. It is called by functions lt_dlopen() and lt_dlopenext().

The ltdl uses files with a ".la" extension to indicate information on a library. For example:
dlname=’my-lib.so.1’
library_names=’my-lib.so.1.0 my-lib.so.1’
old_library=’my-lib.a’
The value of "old_library" indicates the name of the static library.

When a program calls:

- lt_dlopen/lt_dlopenext("/absolute/path/my-lib.so") : there is no vulnerability
- lt_dlopen/lt_dlopenext("my-lib.so") : there is no vulnerability
- lt_dlopen/lt_dlopenext("/absolute/path/my-lib.la"), and if the /absolute/path/my-lib.la file contains old_library=’my-lib.a’ : there is a vulnerability
- lt_dlopen/lt_dlopenext("my-lib.la"), and if the attacker can create the my-lib.la file in the current directory, containing old_library=’my-lib.a’ : there is a vulnerability
- lt_dlopenext("/absolute/path/my-lib"), and if the /absolute/path/my-lib.la file contains old_library=’my-lib.a’ : there is a vulnerability
- lt_dlopenext("my-lib"), and if the attacker can create the my-lib.la file in the current directory, containing old_library=’my-lib.a’ : there is a vulnerability In the 4 indicated cases, ltdl tries to open the my-lib.a file in the current directory.

A local attacker can therefore, if necessary create my-lib.la, and create my-lib.a, in the current directory of a user. The attacker can then invite the victim to run the program, so the malicious code of my-lib.a runs with his privileges.

CHARACTERISTICS

Identifiers: 537941, BID-37128, CVE-2009-3736, FEDORA-2009-12725, MDVA-2009:253, MDVSA-2009:307, MDVSA-2009:307-1, MDVSA-2009:318, RHSA-2009:1646-01, VIGILANCE-VUL-9308

http://vigilance.fr/vulnerability/G...


See previous articles

    

See next articles

Last events

Thanks to all of our sponsors

The readers of our magazine are CIOs, IT security managers, IT Directors and other security professionals.
Thanks to all of our sponsors
- GOLD SPONSOR


    

See all events

Toutes nos news en Francais











Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts

 
News Files Security Vulnerability Malware Update Diary Guide & Podcast Jobs TRAINING Contact About Mentions légales S'identifier ADMIN

Global Security Mag Copyright 2011