Bug 23959 - Some recent glibc security issues affect RH6.x
Some recent glibc security issues affect RH6.x
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
6.1
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Aaron Brown
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-13 13:59 EST by Chris Evans
Modified: 2016-11-24 10:19 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-15 10:12:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 2001-01-13 13:59:33 EST
(Bug marked as beta program only in case people at large have not realised
this)

Hi,

Tested with a RH6.1 server with glibc-2.1.3-21 (the update)

Unfortunately I was able to LD_PRELOAD libSegFault.so into the "passwd"
program.
Having set SEGFAULT_OUTPUT_NAME to a victim file, sending "passwd" SIGSEGV
toasted that file!

To quote Solar Designer on the glibc issues:

These are the (instances of) the recently discovered glibc bugs
(here "2.1" means 2.1 to 2.1.3, and "2.2" means 2.1.9x+):

1. LD_PRELOAD works for non-SUID libs even when running SUID/SGID.

This affects both glibc 2.1 and 2.2.  The proven way to abuse this
property is via libSegFault (overwrite any file), but even worse
attacks (providing a root shell directly) are likely to exist.

Fixed in the CVS.

2. LD_PROFILE uses a file in /var/tmp even when running SUID/SGID.

Both 2.1 and 2.2.  The file is unsafely created and later mmap'ed
for processing.  There're memory writes with addresses calculated
from data in the file, with no bounds checking.  Thus, it definitely
is possible to overwrite files with this, and it might be possible to
get a root shell via this vulnerability directly.

Fixed in the CVS by moving the profiling files to /var/profile (which
should only be created if the feature is desired) for the SUID/SGID
case.  /var/tmp is still used for non-SUID/SGID programs if run with
LD_PROFILE set, which I dislike, but this is only a minor problem.

3. SEGFAULT_OUTPUT_NAME is trusted even when running SUID/SGID.

Both 2.1 and 2.2.  As the library isn't installed SUID by default,
this is only exploitable due to bug #1.

Not fixed (the access() checks don't count).

4. MEMUSAGE_OUTPUT is trusted even when running SUID/SGID.

2.2 only (wasn't a part of glibc 2.1, but could be installed with it
as well).  Similar to the SEGFAULT_OUTPUT_NAME.

5. RESOLV_HOST_CONF is trusted even when running SUID/SGID.

2.2 only.  Fixed in the CVS.
Comment 1 Jakub Jelinek 2001-01-14 13:03:24 EST
Sure, I know and plan to do the errata for 6.x and check 5.x on
Monday.
Comment 2 Jakub Jelinek 2001-01-17 04:57:42 EST
glibc-2.1.3-22 errata is out since yesterday, glibc-2.0.7 does not seem to be
vulnerable (dunno who added it but our 2.0.7 has LD_PRELOAD completely disabled
for SUID/SGID, profiling stuff is non-existant there and LD_LIBRARY_VERSION
does not exist either.

Note You need to log in before you can comment on or make changes to this bug.