The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of glibc: privilege elevation via LD_AUDIT and constructor

Synthesis of the vulnerability 

A local attacker can use the LD_AUDIT variable and the constructor of a system library, in order to obtain privileges of suid/sgid programs.
Vulnerable products: Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, ESX.
Severity of this weakness: 2/4.
Creation date: 25/10/2010.
Revision date: 07/11/2014.
Références of this bulletin: BID-44347, CERTA-2002-AVI-272, CVE-2010-3856, DSA-2122-1, DSA-2122-2, FEDORA-2010-16641, FEDORA-2010-16655, FEDORA-2010-16851, MDVSA-2010:212, openSUSE-SU-2010:0912-1, openSUSE-SU-2010:0913-1, openSUSE-SU-2010:0914-1, RHSA-2010:0793-01, RHSA-2010:0872-02, SSA:2010-301-01, SUSE-SA:2010:052, VIGILANCE-VUL-10068, VMSA-0001.3, VMSA-2011-0001, VMSA-2011-0001.1, VMSA-2011-0001.2, VMSA-2011-0001.3.

Description of the vulnerability 

The glibc/ld.so program dynamically loads libraries.

The LD_AUDIT environment variable indicates an object list (Link-Auditing interface), that ld.so has to load.

When a program is suid or sgid, libraries indicated in LD_AUDIT are only loaded if they are located in a system library (such as /lib).

However, constructors of some libraries in /lib were not securely conceived. For example, the constructor of /lib/libpcprofile.so (installed with the glibc package) accepts to create a file with a name indicated in the PCPROFILE_OUTPUT variable.

A local attacker can therefore use the LD_AUDIT variable and the constructor of libpcprofile.so, in order to obtain privileges of suid/sgid programs.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Debian, Fedora, Mandriva Linux, openSUSE, RHEL, Slackware, SLES, ESX.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this vulnerability alert.

Solutions for this threat 

Debian: new glibc packages.
New packages are available:
  glibc 2.7-18lenny7

Fedora 12: new glibc packages.
New packages are available:
  glibc-2.11.2-3

Fedora: new glibc packages.
New packages are available:
  Fedora 13 : glibc-2.12.1-4
  Fedora 14 : glibc-2.12.90-18

Mandriva: new glibc packages.
New packages are available:
  Mandriva Linux 2009.0: glibc-2.8-1.20080520.5.7mnb2
  Mandriva Linux 2009.1: glibc-2.9-0.20081113.5.3mnb2
  Mandriva Linux 2010.0: glibc-2.10.1-6.7mnb2
  Mandriva Linux 2010.1: glibc-2.11.1-8.2mnb2
  Mandriva Enterprise Server 5: glibc-2.8-1.20080520.5.7mnb2

openSUSE 11.1: new glibc packages.
New packages are available:
  glibc-2.9-2.13.1

openSUSE 11.2: new glibc packages.
New packages are available:
  glibc-2.10.1-10.9.1

openSUSE 11.3: new glibc packages.
New packages are available:
  glibc-2.11.2-3.3.1

RHEL 5: new glibc packages.
New packages are available:
  glibc-2.5-49.el5_5.7

RHEL 6.0: new glibc packages (15/11/2010).
New packages are available:
  glibc-2.12-1.7.el6_0.3

Slackware: new glibc packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/glibc-2.5-i486-6_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/glibc-2.7-i486-12_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/glibc-2.7-i486-19_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/glibc-2.9-i486-5_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/glibc-2.11.1-i486-5_slack13.1.txz

SLE: new glibc packages.
New packages are available, as indicated in information sources.

VMware ESX: patch for Service Console.
A patch is available:
ESX 4.0 :
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-257-20101231-664659/ESX400-201101001.zip
  http://kb.vmware.com/kb/1029426
ESX 4.1 - Patch :
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-275-20110420-062017/ESX410-201104001.zip
  http://kb.vmware.com/kb/1035110
ESX 4.1 - Update 1 :
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-259-20110127-527075/update-from-esx4.1-4.1_update01.zip
  http://kb.vmware.com/kb/1029353
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability workaround. The technology watch team tracks security threats targeting the computer system.