Bug 645672 (CVE-2010-3856)

Summary: CVE-2010-3856 glibc: ld.so arbitrary DSO loading via LD_AUDIT in setuid/setgid programs
Product: [Other] Security Response Reporter: Petr Matousek <pmatouse>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bob69xxx, csieh, ebachalo, fweimer, jakub, jeder, jlieskov, kent, nixon, rcvalle, rdassen, roland, schwab, security-response-team, tru
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20101022,reported=20101021,source=vendor-sec,impact=important,cvss2=7.2/AV:L/AC:L/Au:N/C:C/I:C/A:C,rhel-5/glibc=affected,rhel-6/glibc=affected,fedora-all/glibc=affected,cwe=CWE-426
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-11 08:12:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 645677, 645678, 645679, 645680, 645875    
Bug Blocks:    

Description Petr Matousek 2010-10-22 08:28:34 UTC
Tavis Ormandy pointed out that glibc does not properly sanitize DSOs that
are loaded using LD_AUDIT facility. Tavis quoted:

  In order to be preloaded during the execution of a privileged program, a
  library must be setuid and in the trusted library search path. This is a
  reasonable design, in order to be loaded a system administrator must brand
  a library as safe before it will be loaded across privilege boundaries.

  This allows developers who design their programs to operate safely while
  running as setuid are able to do so. The same conditions do not apply to
  LD_AUDIT, which will load an arbitrary DSOs, regardless of whether it
  has been designed to operate safely or not.

Tavis found out that by exploiting unsafely designed DSO constructors in
trusted directories it is possible to achieve privilege escalation.

Acknowledgements:

Red Hat would like to thank Ben Hawkes and Tavis Ormandy for reporting this issue.

Comment 12 Petr Matousek 2010-10-22 17:02:38 UTC
Reference:

http://seclists.org/fulldisclosure/2010/Oct/344

Comment 13 Petr Matousek 2010-10-22 18:05:31 UTC
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 645875]

Comment 14 Roberto Yokota 2010-10-22 18:07:56 UTC
Andreas Patch:

http://sourceware.org/ml/libc-hacker/2010-10/msg00010.html

Thanks,

Roberto Yokota

Comment 15 Petr Matousek 2010-10-23 09:40:32 UTC
This issue did not affect the versions of glibc package as shipped with Red Hat Enterprise Linux 3 and 4 as these do not implement Auditing API for the dynamic linker.

Comment 18 errata-xmlrpc 2010-10-25 18:54:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0793 https://rhn.redhat.com/errata/RHSA-2010-0793.html

Comment 19 errata-xmlrpc 2010-11-10 18:57:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0872 https://rhn.redhat.com/errata/RHSA-2010-0872.html