Bug 643306 (CVE-2010-3847)

Summary: CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ajb, amyagi, bob69xxx, cody, csieh, ebachalo, fweimer, gowmonster, herrold, jakub, jeder, jlieskov, jszep, kbsingh, kent, luke, mhlavink, mjc, mmello, nixon, pasteur, pep, pneedle, rbinkhor, rcvalle, rdassen, redhat, schwab, security-response-team, sputhenp, steve, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-11 08:13:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 643816, 643817, 643818, 643819, 643821, 643822, 643951    
Bug Blocks:    
Attachments:
Description Flags
Don't expand DST twice in dl_open
none
Never expand $ORIGIN in privileged programs none

Description Tomas Hoger 2010-10-15 08:58:02 UTC 
Tavis Ormandy pointed out that glibc does not follow ELF specification recommendation that $ORIGIN expansion should not be performed for setuid/setgid programs.  Tavis quoted:

http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html

  For security, the dynamic linker does not allow use of $ORIGIN substitution
  sequences for set-user and set-group ID programs. For such sequences that
  appear within strings specified by DT_RUNPATH dynamic array entries, the
  specific search path containing the $ORIGIN sequence is ignored (though other
  search paths in the same string are processed). $ORIGIN sequences within a
  DT_NEEDED entry or path passed as a parameter to dlopen() are treated as
  errors. The same restrictions may be applied to processes that have more than
  minimal privileges on systems with installed extended security mechanisms.

Tavis showed that it's possible to escalate privileges by forcing $ORIGIN expansion from LD_AUDIT (which is supposed to be ignored for setuid/setgid binaries, it's listed in UNSECURE_ENVVARS).

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.
Comment 20 Tomas Hoger 2010-10-18 11:09:26 UTC 
Public now via:
  http://seclists.org/fulldisclosure/2010/Oct/257

For this attack, local user needs to be able to create hard link to a setuid or setgid binary in the attacker-controlled directory.  Separating setuid binaries and user-writeable directories to different file systems mitigates this issue.  Tavis' advisory provides temporary mitigation steps that can be used in cases where such split is not used at the moment and can not be implemented.

Auditing API for the dynmic linker is not implemented in the glibc versions in Red Hat Enterprise Linux 3 and 4.  Attack described by Tavis using $ORIGIN in LD_AUDIT does not affect those versions.
Comment 22 Andreas Schwab 2010-10-18 11:30:32 UTC 
Created attachment 454089 [details]
Don't expand DST twice in dl_open
Comment 26 Andreas Schwab 2010-10-18 12:14:55 UTC 
Created attachment 454096 [details]
Never expand $ORIGIN in privileged programs
Comment 27 Roberto Yokota 2010-10-18 14:45:53 UTC 
Andreas,

Is this the definitive fix ?

Regards,

Roberto Yokota
Comment 28 Andreas Schwab 2010-10-18 14:55:17 UTC 
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
Comment 29 Roberto Yokota 2010-10-18 15:11:30 UTC 
Thanks Andreas !
Comment 30 Tomas Hoger 2010-10-18 15:51:44 UTC 
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 643951]
Comment 31 Leif Nixon 2010-10-19 14:52:26 UTC 
Is Andreas' patch in comment 22 really relevant here?
Comment 32 errata-xmlrpc 2010-10-20 23:27:42 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0787 https://rhn.redhat.com/errata/RHSA-2010-0787.html
Comment 37 errata-xmlrpc 2010-11-10 18:57:31 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0872 https://rhn.redhat.com/errata/RHSA-2010-0872.html