Bug 643306 (CVE-2010-3847) - CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs
Summary: CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setui...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-3847
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,source=vendor-sec,re...
Depends On: 643816 643817 643818 643819 643821 643822 643951
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-10-15 08:58 UTC by Tomas Hoger
Modified: 2019-06-08 13:08 UTC (History)
32 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-11 08:13:12 UTC


Attachments (Terms of Use)
Don't expand DST twice in dl_open (1.75 KB, text/plain)
2010-10-18 11:30 UTC, Andreas Schwab
no flags Details
Never expand $ORIGIN in privileged programs (2.34 KB, text/plain)
2010-10-18 12:14 UTC, Andreas Schwab
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2010:0787 normal SHIPPED_LIVE Important: glibc security update 2010-10-20 23:27:32 UTC
Red Hat Product Errata RHSA-2010:0872 normal SHIPPED_LIVE Important: glibc security and bug fix update 2010-11-10 12:10:56 UTC

Description Tomas Hoger 2010-10-15 08:58:02 UTC
Tavis Ormandy pointed out that glibc does not follow ELF specification recommendation that $ORIGIN expansion should not be performed for setuid/setgid programs.  Tavis quoted:

http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html

  For security, the dynamic linker does not allow use of $ORIGIN substitution
  sequences for set-user and set-group ID programs. For such sequences that
  appear within strings specified by DT_RUNPATH dynamic array entries, the
  specific search path containing the $ORIGIN sequence is ignored (though other
  search paths in the same string are processed). $ORIGIN sequences within a
  DT_NEEDED entry or path passed as a parameter to dlopen() are treated as
  errors. The same restrictions may be applied to processes that have more than
  minimal privileges on systems with installed extended security mechanisms.

Tavis showed that it's possible to escalate privileges by forcing $ORIGIN expansion from LD_AUDIT (which is supposed to be ignored for setuid/setgid binaries, it's listed in UNSECURE_ENVVARS).

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.

Comment 20 Tomas Hoger 2010-10-18 11:09:26 UTC
Public now via:
  http://seclists.org/fulldisclosure/2010/Oct/257

For this attack, local user needs to be able to create hard link to a setuid or setgid binary in the attacker-controlled directory.  Separating setuid binaries and user-writeable directories to different file systems mitigates this issue.  Tavis' advisory provides temporary mitigation steps that can be used in cases where such split is not used at the moment and can not be implemented.

Auditing API for the dynmic linker is not implemented in the glibc versions in Red Hat Enterprise Linux 3 and 4.  Attack described by Tavis using $ORIGIN in LD_AUDIT does not affect those versions.

Comment 22 Andreas Schwab 2010-10-18 11:30:32 UTC
Created attachment 454089 [details]
Don't expand DST twice in dl_open

Comment 26 Andreas Schwab 2010-10-18 12:14:55 UTC
Created attachment 454096 [details]
Never expand $ORIGIN in privileged programs

Comment 27 Roberto Yokota 2010-10-18 14:45:53 UTC
Andreas,

Is this the definitive fix ?

Regards,

Roberto Yokota

Comment 29 Roberto Yokota 2010-10-18 15:11:30 UTC
Thanks Andreas !

Comment 30 Tomas Hoger 2010-10-18 15:51:44 UTC
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 643951]

Comment 31 Leif Nixon 2010-10-19 14:52:26 UTC
Is Andreas' patch in comment 22 really relevant here?

Comment 32 errata-xmlrpc 2010-10-20 23:27:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0787 https://rhn.redhat.com/errata/RHSA-2010-0787.html

Comment 37 errata-xmlrpc 2010-11-10 18:57:31 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0872 https://rhn.redhat.com/errata/RHSA-2010-0872.html


Note You need to log in before you can comment on or make changes to this bug.