Red Hat Bugzilla – Bug 23959
Some recent glibc security issues affect RH6.x
Last modified: 2016-11-24 10:19:01 EST
(Bug marked as beta program only in case people at large have not realised
Tested with a RH6.1 server with glibc-2.1.3-21 (the update)
Unfortunately I was able to LD_PRELOAD libSegFault.so into the "passwd"
Having set SEGFAULT_OUTPUT_NAME to a victim file, sending "passwd" SIGSEGV
toasted that file!
To quote Solar Designer on the glibc issues:
These are the (instances of) the recently discovered glibc bugs
(here "2.1" means 2.1 to 2.1.3, and "2.2" means 2.1.9x+):
1. LD_PRELOAD works for non-SUID libs even when running SUID/SGID.
This affects both glibc 2.1 and 2.2. The proven way to abuse this
property is via libSegFault (overwrite any file), but even worse
attacks (providing a root shell directly) are likely to exist.
Fixed in the CVS.
2. LD_PROFILE uses a file in /var/tmp even when running SUID/SGID.
Both 2.1 and 2.2. The file is unsafely created and later mmap'ed
for processing. There're memory writes with addresses calculated
from data in the file, with no bounds checking. Thus, it definitely
is possible to overwrite files with this, and it might be possible to
get a root shell via this vulnerability directly.
Fixed in the CVS by moving the profiling files to /var/profile (which
should only be created if the feature is desired) for the SUID/SGID
case. /var/tmp is still used for non-SUID/SGID programs if run with
LD_PROFILE set, which I dislike, but this is only a minor problem.
3. SEGFAULT_OUTPUT_NAME is trusted even when running SUID/SGID.
Both 2.1 and 2.2. As the library isn't installed SUID by default,
this is only exploitable due to bug #1.
Not fixed (the access() checks don't count).
4. MEMUSAGE_OUTPUT is trusted even when running SUID/SGID.
2.2 only (wasn't a part of glibc 2.1, but could be installed with it
as well). Similar to the SEGFAULT_OUTPUT_NAME.
5. RESOLV_HOST_CONF is trusted even when running SUID/SGID.
2.2 only. Fixed in the CVS.
Sure, I know and plan to do the errata for 6.x and check 5.x on
glibc-2.1.3-22 errata is out since yesterday, glibc-2.0.7 does not seem to be
vulnerable (dunno who added it but our 2.0.7 has LD_PRELOAD completely disabled
for SUID/SGID, profiling stuff is non-existant there and LD_LIBRARY_VERSION
does not exist either.