Vulnerabilities > CVE-2010-3856 - Permissions, Privileges, and Access Controls vulnerability in GNU Glibc
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Blue Boxing This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
- Restful Privilege Elevation Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
- Target Programs with Elevated Privileges This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.
Exploit-Db
description glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit). CVE-2010-3847,CVE-2010-3856. Local exploit for Linux platform. Tags: Metasploit Fram... file exploits/linux/local/44025.rb id EDB-ID:44025 last seen 2018-02-12 modified 2018-02-12 platform linux port published 2018-02-12 reporter Exploit-DB source https://www.exploit-db.com/download/44025/ title glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit) type local description glibc LD_AUDIT arbitrary DSO - Load Privilege Escalation. CVE-2010-3856. Local exploit for linux platform id EDB-ID:18105 last seen 2016-02-02 modified 2011-11-10 published 2011-11-10 reporter zx2c4 source https://www.exploit-db.com/download/18105/ title glibc LD_AUDIT arbitrary DSO - Load Privilege Escalation description GNU C library dynamic linker LD_AUDIT arbitrary DSO load Vulnerability. CVE-2010-3856. Local exploit for linux platform id EDB-ID:15304 last seen 2016-02-01 modified 2010-10-22 published 2010-10-22 reporter Tavis Ormandy source https://www.exploit-db.com/download/15304/ title GNU C library dynamic linker LD_AUDIT - Arbitrary DSO Load Vulnerability Local Root
Metasploit
description | This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation. |
id | MSF:EXPLOIT/LINUX/LOCAL/GLIBC_LD_AUDIT_DSO_LOAD_PRIV_ESC |
last seen | 2020-05-21 |
modified | 2019-01-10 |
published | 2018-01-28 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/glibc_ld_audit_dso_load_priv_esc.rb |
title | glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation |
Nessus
NASL family Misc. NASL id VMWARE_VMSA-2011-0001_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including arbitrary code execution vulnerabilities, in several third-party components and libraries : - glibc - glibc-common - nscd - openldap - sudo last seen 2020-06-01 modified 2020-06-02 plugin id 89673 published 2016-03-04 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89673 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0001) (remote check) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2011-0001.NASL description a. Service Console update for glibc The service console packages glibc, glibc-common, and nscd are each updated to version 2.5-34.4908.vmw. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-3847 and CVE-2010-3856 to the issues addressed in this update. b. Service Console update for sudo The service console package sudo is updated to version 1.7.2p1-8.el5_5. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2956 to the issue addressed in this update. c. Service Console update for openldap The service console package openldap is updated to version 2.3.43-12.el5_5.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0211 and CVE-2010-0212 to the issues addressed in this update. last seen 2020-06-01 modified 2020-06-02 plugin id 51422 published 2011-01-06 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51422 title VMSA-2011-0001 : VMware ESX third-party updates for Service Console packages glibc, sudo, and openldap NASL family SuSE Local Security Checks NASL id SUSE_GLIBC-7201.NASL description Several security issues were fixed : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50377 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50377 title SuSE 10 Security Update : glibc (ZYPP Patch Number 7201) NASL family SuSE Local Security Checks NASL id SUSE_11_GLIBC-101025.NASL description This update of glibc fixes various bugs and security issues : - Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. (CVE-2010-3847) - The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. (CVE-2010-3856) - Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. (CVE-2010-0830) - The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. (CVE-2010-0296) - The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). (CVE-2008-1391) - Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50912 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50912 title SuSE 11 / 11.1 Security Update : glibc (SAT Patch Numbers 3392 / 3393) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0872.NASL description Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847 issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856 issue. This update also fixes the following bugs : * Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) * The last seen 2020-06-01 modified 2020-06-02 plugin id 50640 published 2010-11-18 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50640 title RHEL 6 : glibc (RHSA-2010:0872) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0793.NASL description Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Ben Hawkes and Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50798 published 2010-11-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50798 title CentOS 5 : glibc (CESA-2010:0793) NASL family Fedora Local Security Checks NASL id FEDORA_2010-16655.NASL description Require suid bit on audit objects in privileged programs (CVE-2010-3856) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50399 published 2010-10-29 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50399 title Fedora 13 : glibc-2.12.1-4 (2010-16655) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2010-301-01.NASL description New glibc packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50388 published 2010-10-29 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50388 title Slackware 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : glibc (SSA:2010-301-01) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0872.NASL description From Red Hat Security Advisory 2010:0872 : Updated glibc packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Tavis Ormandy for reporting the CVE-2010-3847 issue, and Ben Hawkes and Tavis Ormandy for reporting the CVE-2010-3856 issue. This update also fixes the following bugs : * Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) * The last seen 2020-06-01 modified 2020-06-02 plugin id 68141 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68141 title Oracle Linux 6 : glibc (ELSA-2010-0872) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1009-2.NASL description USN-1009-1 fixed vulnerabilities in the GNU C library. Colin Watson discovered that the fixes were incomplete and introduced flaws with setuid programs loading libraries that used dynamic string tokens in their RPATH. If the last seen 2020-06-01 modified 2020-06-02 plugin id 51501 published 2011-01-12 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51501 title Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : eglibc, glibc vulnerability (USN-1009-2) NASL family SuSE Local Security Checks NASL id SUSE_11_2_GLIBC-101027.NASL description This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). last seen 2020-06-01 modified 2020-06-02 plugin id 50373 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50373 title openSUSE Security Update : glibc (openSUSE-SU-2010:0913-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0793.NASL description From Red Hat Security Advisory 2010:0793 : Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Ben Hawkes and Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 68126 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68126 title Oracle Linux 5 : glibc (ELSA-2010-0793) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0793.NASL description Updated glibc packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The glibc packages contain the standard C libraries used by multiple programs on the system. These packages contain the standard C and the standard math libraries. Without these two libraries, a Linux system cannot function properly. It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) Red Hat would like to thank Ben Hawkes and Tavis Ormandy for reporting this issue. All users should upgrade to these updated packages, which contain a backported patch to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50341 published 2010-10-26 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50341 title RHEL 5 : glibc (RHSA-2010:0793) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2122.NASL description Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU libc allows local users to gain root privileges using a crafted LD_AUDIT environment variable. last seen 2020-06-01 modified 2020-06-02 plugin id 50309 published 2010-10-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50309 title Debian DSA-2122-1 : glibc - missing input sanitization NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1009-1.NASL description Tavis Ormandy discovered multiple flaws in the GNU C Library last seen 2020-06-01 modified 2020-06-02 plugin id 50318 published 2010-10-24 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50318 title Ubuntu 8.04 LTS / 9.04 / 9.10 / 10.04 LTS / 10.10 : glibc, eglibc vulnerabilities (USN-1009-1) NASL family SuSE Local Security Checks NASL id SUSE_11_1_GLIBC-101026.NASL description This update of glibc fixes various bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. CVE-2010-0830: Integer overflow causing arbitrary code execution in ld.so --verify mode could be induced by a specially crafted binary. CVE-2010-0296: The addmntent() function would not escape the newline character properly, allowing the user to insert arbitrary newlines to the /etc/mtab; if the addmntent() is run by a setuid mount binary that does not do extra input checking, this would allow custom entries to be inserted in /etc/mtab. CVE-2008-1391: The strfmon() function contains an integer overflow vulnerability in width specifiers handling that could be triggered by an attacker that can control the format string passed to strfmon(). CVE-2010-0015: Some setups (mainly Solaris-based legacy setups) include shadow information (password hashes) as so-called last seen 2020-06-01 modified 2020-06-02 plugin id 50367 published 2010-10-28 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50367 title openSUSE Security Update : glibc (openSUSE-SU-2010:0914-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-16641.NASL description - Correct x86 CPU family and model check (BZ#11640, #596554) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 50421 published 2010-11-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50421 title Fedora 12 : glibc-2.11.2-3 (2010-16641) NASL family Scientific Linux Local Security Checks NASL id SL_20101110_GLIBC_ON_SL6_X.NASL description It was discovered that the glibc dynamic linker/loader did not handle the $ORIGIN dynamic string token set in the LD_AUDIT environment variable securely. A local attacker with write access to a file system containing setuid or setgid binaries could use this flaw to escalate their privileges. (CVE-2010-3847) It was discovered that the glibc dynamic linker/loader did not perform sufficient safety checks when loading dynamic shared objects (DSOs) to provide callbacks for its auditing API during the execution of privileged programs. A local attacker could use this flaw to escalate their privileges via a carefully-chosen system DSO library containing unsafe constructors. (CVE-2010-3856) This update also fixes the following bugs : - Previously, the generic implementation of the strstr() and memmem() functions did not handle certain periodic patterns correctly and could find a false positive match. This error has been fixed, and both functions now work as expected. (BZ#643341) - The last seen 2020-06-01 modified 2020-06-02 plugin id 60891 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60891 title Scientific Linux Security Update : glibc on SL6.x i386/x86_64 NASL family Fedora Local Security Checks NASL id FEDORA_2010-16851.NASL description Require suid bit on audit objects in privileged programs (CVE-2010-3856) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 50401 published 2010-10-29 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50401 title Fedora 14 : glibc-2.12.90-18 (2010-16851) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-212.NASL description A vulnerability in the GNU C library (glibc) was discovered which could escalate the privilegies for local users (CVE-2010-3856). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149&products_id=4 90 The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50321 published 2010-10-25 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/50321 title Mandriva Linux Security Advisory : glibc (MDVSA-2010:212) NASL family SuSE Local Security Checks NASL id SUSE_11_3_GLIBC-101027.NASL description This update of glibc fixes two bugs and security issues : CVE-2010-3847: Decoding of the $ORIGIN special value in various LD_ environment variables allowed local attackers to execute code in context of e.g. setuid root programs, elevating privileges. This issue does not affect SUSE as an assertion triggers before the respective code is executed. The bug was fixed nevertheless. CVE-2010-3856: The LD_AUDIT environment was not pruned during setuid root execution and could load shared libraries from standard system library paths. This could be used by local attackers to inject code into setuid root programs and so elevated privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 75518 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75518 title openSUSE Security Update : glibc (openSUSE-SU-2010:0912-1) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0012_GLIBC.NASL description The remote NewStart CGSL host, running version MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities: - elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory. (CVE-2010-3847) - ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so. (CVE-2010-3856) - Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow. (CVE-2012-4412) - Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function. (CVE-2012-4424) - A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially- crafted input that, when processed, would cause the application to crash. (CVE-2013-0242) - It was found that getaddrinfo() did not limit the amount of stack memory used during name resolution. An attacker able to make an application resolve an attacker- controlled hostname or IP address could possibly cause the application to exhaust all stack memory and crash. (CVE-2013-1914, CVE-2013-4458) - pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system. (CVE-2013-2207) - An out-of-bounds write flaw was found in the way the glibc last seen 2020-06-01 modified 2020-06-02 plugin id 127161 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127161 title NewStart CGSL MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0012) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201011-01.NASL description The remote host is affected by the vulnerability described in GLSA-201011-01 (GNU C library: Multiple vulnerabilities) Multiple vulnerabilities were found in glibc, amongst others the widely-known recent LD_AUDIT and $ORIGIN issues. For further information please consult the CVE entries referenced below. Impact : A local attacker could execute arbitrary code as root, cause a Denial of Service, or gain privileges. Additionally, a user-assisted remote attacker could cause the execution of arbitrary code, and a context-dependent attacker could cause a Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 50605 published 2010-11-16 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50605 title GLSA-201011-01 : GNU C library: Multiple vulnerabilities NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0023.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Switch to use malloc when the input line is too long [Orabug 19951108] - Use a /sys/devices/system/cpu/online for _SC_NPROCESSORS_ONLN implementation [Orabug 17642251] (Joe Jin) - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, - Fix patch for integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Fix return code when starting an already started nscd daemon (#979413). - Fix getnameinfo for many PTR record queries (#1020486). - Return EINVAL error for negative sizees to getgroups (#995207). - Fix integer overflows in *valloc and memalign. (CVE-2013-4332, #1011805). - Add support for newer L3 caches on x86-64 and correctly count the number of hardware threads sharing a cacheline (#1003420). - Revert incomplete fix for bug #758193. - Fix _nl_find_msg malloc failure case, and callers (#957089). - Test on init_fct, not result->__init_fct, after demangling (#816647). - Don last seen 2020-06-01 modified 2020-06-02 plugin id 81118 published 2015-02-02 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81118 title OracleVM 3.2 : glibc (OVMSA-2015-0023) (GHOST)
Packetstorm
data source https://packetstormsecurity.com/files/download/146975/glibc_ld_audit_dso_libmemusage.rb.txt id PACKETSTORM:146975 last seen 2018-03-31 published 2018-03-30 reporter Marco Ivaldi source https://packetstormsecurity.com/files/146975/glibc-LD_AUDIT-libmemusage.so-RHEL-Based-Arbitrary-DSO-Load-Privilege-Escalation.html title glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation data source https://packetstormsecurity.com/files/download/128998/glibc-libpcprofile-1x-2x.sh.txt id PACKETSTORM:128998 last seen 2016-12-05 published 2014-11-06 reporter Saeid Bostandoust source https://packetstormsecurity.com/files/128998/GNU-libc-2.12.1-LD_AUDIT-libpcprofile.so-Local-Root.html title GNU libc 2.12.1 LD_AUDIT libpcprofile.so Local Root data source https://packetstormsecurity.com/files/download/95236/linuxwebshell-remoteroot.txt id PACKETSTORM:95236 last seen 2016-12-05 published 2010-10-28 reporter jmit source https://packetstormsecurity.com/files/95236/Debian-5.0.6-Ubuntu-10.04-Webshell-To-Remote-Root.html title Debian 5.0.6 / Ubuntu 10.04 Webshell To Remote Root data source https://packetstormsecurity.com/files/download/153278/SA-20190612-0.txt id PACKETSTORM:153278 last seen 2019-06-17 published 2019-06-13 reporter T. Weber source https://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html title WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials data source https://packetstormsecurity.com/files/download/106817/ldaudit-escalate.txt id PACKETSTORM:106817 last seen 2016-12-05 published 2011-11-10 reporter zx2c4 source https://packetstormsecurity.com/files/106817/glibc-LD_AUDIT-Privilege-Escalation.html title glibc LD_AUDIT Privilege Escalation data source https://packetstormsecurity.com/files/download/95098/gnuc-dlopen.txt id PACKETSTORM:95098 last seen 2016-12-05 published 2010-10-22 reporter Tavis Ormandy source https://packetstormsecurity.com/files/95098/GNU-C-Library-Dynamic-Linker-Arbitrary-DSO-dlopen.html title GNU C Library Dynamic Linker Arbitrary DSO dlopen data source https://packetstormsecurity.com/files/download/146337/glibc_ld_audit_dso_load_priv_esc.rb.txt id PACKETSTORM:146337 last seen 2018-02-15 published 2018-02-10 reporter Marco Ivaldi source https://packetstormsecurity.com/files/146337/glibc-LD_AUDIT-Arbitrary-DSO-Load-Privilege-Escalation.html title glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation data source https://packetstormsecurity.com/files/download/128999/glibc-libmemusage-1x-2x.sh.txt id PACKETSTORM:128999 last seen 2016-12-05 published 2014-11-06 reporter Saeid Bostandoust source https://packetstormsecurity.com/files/128999/GNU-libc-2.12.1-LD_AUDIT-libmemusage.so-Local-Root.html title GNU libc 2.12.1 LD_AUDIT libmemusage.so Local Root data source https://packetstormsecurity.com/files/download/121676/DSO_libmemusage.sh.txt id PACKETSTORM:121676 last seen 2016-12-05 published 2013-05-17 reporter Todor Donev source https://packetstormsecurity.com/files/121676/Glibc-2.11.3-2.12.x-LD_AUDIT-libmemusage.so-Local-Root.html title Glibc 2.11.3 / 2.12.x LD_AUDIT libmemusage.so Local Root
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily exploit description No description provided by source. id SSV:70046 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-70046 title GNU C library dynamic linker LD_AUDIT arbitrary DSO load Vulnerability bulletinFamily exploit description No description provided by source. id SSV:72321 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72321 title glibc LD_AUDIT arbitrary DSO load Privilege Escalation
References
- http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html
- http://seclists.org/fulldisclosure/2010/Oct/344
- https://bugzilla.redhat.com/show_bug.cgi?id=645672
- http://www.vmware.com/security/advisories/VMSA-2011-0001.html
- https://rhn.redhat.com/errata/RHSA-2010-0793.html
- http://www.vupen.com/english/advisories/2011/0025
- http://www.ubuntu.com/usn/USN-1009-1
- http://www.redhat.com/support/errata/RHSA-2010-0872.html
- http://www.debian.org/security/2010/dsa-2122
- http://secunia.com/advisories/42787
- http://www.securityfocus.com/bid/44347
- http://security.gentoo.org/glsa/glsa-201011-01.xml
- http://support.avaya.com/css/P8/documents/100121017
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:212
- https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html
- https://www.exploit-db.com/exploits/44025/
- http://www.securityfocus.com/archive/1/515545/100/0/threaded
- http://seclists.org/fulldisclosure/2019/Jun/18
- https://seclists.org/bugtraq/2019/Jun/14
- http://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html
- http://www.openwall.com/lists/oss-security/2023/07/19/9
- http://seclists.org/fulldisclosure/2023/Jul/31
- http://www.openwall.com/lists/oss-security/2023/07/20/1
- http://packetstormsecurity.com/files/173661/OpenSSH-Forwarded-SSH-Agent-Remote-Code-Execution.html