(Bug marked as beta program only in case people at large have not realised this) Hi, Tested with a RH6.1 server with glibc-2.1.3-21 (the update) Unfortunately I was able to LD_PRELOAD libSegFault.so into the "passwd" program. Having set SEGFAULT_OUTPUT_NAME to a victim file, sending "passwd" SIGSEGV toasted that file! To quote Solar Designer on the glibc issues: These are the (instances of) the recently discovered glibc bugs (here "2.1" means 2.1 to 2.1.3, and "2.2" means 2.1.9x+): 1. LD_PRELOAD works for non-SUID libs even when running SUID/SGID. This affects both glibc 2.1 and 2.2. The proven way to abuse this property is via libSegFault (overwrite any file), but even worse attacks (providing a root shell directly) are likely to exist. Fixed in the CVS. 2. LD_PROFILE uses a file in /var/tmp even when running SUID/SGID. Both 2.1 and 2.2. The file is unsafely created and later mmap'ed for processing. There're memory writes with addresses calculated from data in the file, with no bounds checking. Thus, it definitely is possible to overwrite files with this, and it might be possible to get a root shell via this vulnerability directly. Fixed in the CVS by moving the profiling files to /var/profile (which should only be created if the feature is desired) for the SUID/SGID case. /var/tmp is still used for non-SUID/SGID programs if run with LD_PROFILE set, which I dislike, but this is only a minor problem. 3. SEGFAULT_OUTPUT_NAME is trusted even when running SUID/SGID. Both 2.1 and 2.2. As the library isn't installed SUID by default, this is only exploitable due to bug #1. Not fixed (the access() checks don't count). 4. MEMUSAGE_OUTPUT is trusted even when running SUID/SGID. 2.2 only (wasn't a part of glibc 2.1, but could be installed with it as well). Similar to the SEGFAULT_OUTPUT_NAME. 5. RESOLV_HOST_CONF is trusted even when running SUID/SGID. 2.2 only. Fixed in the CVS.
Sure, I know and plan to do the errata for 6.x and check 5.x on Monday.
glibc-2.1.3-22 errata is out since yesterday, glibc-2.0.7 does not seem to be vulnerable (dunno who added it but our 2.0.7 has LD_PRELOAD completely disabled for SUID/SGID, profiling stuff is non-existant there and LD_LIBRARY_VERSION does not exist either.