Tavis Ormandy pointed out that glibc does not follow ELF specification recommendation that $ORIGIN expansion should not be performed for setuid/setgid programs. Tavis quoted: http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html For security, the dynamic linker does not allow use of $ORIGIN substitution sequences for set-user and set-group ID programs. For such sequences that appear within strings specified by DT_RUNPATH dynamic array entries, the specific search path containing the $ORIGIN sequence is ignored (though other search paths in the same string are processed). $ORIGIN sequences within a DT_NEEDED entry or path passed as a parameter to dlopen() are treated as errors. The same restrictions may be applied to processes that have more than minimal privileges on systems with installed extended security mechanisms. Tavis showed that it's possible to escalate privileges by forcing $ORIGIN expansion from LD_AUDIT (which is supposed to be ignored for setuid/setgid binaries, it's listed in UNSECURE_ENVVARS). Acknowledgements: Red Hat would like to thank Tavis Ormandy for reporting this issue.
Public now via: http://seclists.org/fulldisclosure/2010/Oct/257 For this attack, local user needs to be able to create hard link to a setuid or setgid binary in the attacker-controlled directory. Separating setuid binaries and user-writeable directories to different file systems mitigates this issue. Tavis' advisory provides temporary mitigation steps that can be used in cases where such split is not used at the moment and can not be implemented. Auditing API for the dynmic linker is not implemented in the glibc versions in Red Hat Enterprise Linux 3 and 4. Attack described by Tavis using $ORIGIN in LD_AUDIT does not affect those versions.
Created attachment 454089 [details] Don't expand DST twice in dl_open
Created attachment 454096 [details] Never expand $ORIGIN in privileged programs
Andreas, Is this the definitive fix ? Regards, Roberto Yokota
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html
Thanks Andreas !
Created glibc tracking bugs for this issue Affects: fedora-all [bug 643951]
Is Andreas' patch in comment 22 really relevant here?
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0787 https://rhn.redhat.com/errata/RHSA-2010-0787.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:0872 https://rhn.redhat.com/errata/RHSA-2010-0872.html