Vigil@nce - glibc: privilege elevation via ORIGIN
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the LD_AUDIT/PATH/RPATH variable and
$ORIGIN, in order to obtain privileges of suid/sgid programs.
Severity: 2/4
Creation date: 12/04/2011
IMPACTED PRODUCTS
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The VIGILANCE-VUL-10050 (https://vigilance.fr/tree/1/10050) and
VIGILANCE-VUL-10324 (https://vigilance.fr/tree/1/10324) bulletins
describe three vulnerability related to the LD_AUDIT, PATH and
RPATH environment variables.
However, patches for these vulnerabilities empty the variable if
it contains $ORIGIN. Malicious libraries are thus searched in the
current directory.
A local attacker can therefore use the LD_AUDIT/PATH/RPATH
variable and $ORIGIN, in order to obtain privileges of suid/sgid
programs.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-privilege-elevation-via-ORIGIN-10537