Bug 667974 (CVE-2011-0536) - CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH
Summary: CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when runni...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-0536
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 649256 660217 670988 682991 688214 688215 688217 688219
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-07 14:51 UTC by Tomas Hoger
Modified: 2019-09-29 12:42 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-11 14:12:40 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0412 normal SHIPPED_LIVE Important: glibc security update 2011-04-04 20:06:07 UTC
Sourceware 12393 None None None Never
Red Hat Product Errata RHSA-2011:0413 normal SHIPPED_LIVE Important: glibc security update 2011-04-04 20:22:08 UTC

Description Tomas Hoger 2011-01-07 14:51:17 UTC
Following patch was applied to glibc packages to address dynamic linker privilege escalation issue CVE-2010-3847 (see bug #643306):

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a

This change introduced a regression in handling of privileged programs that use $ORIGIN in R*PATH in the binary itself, or any of the depending libraries.  When running such privileged program, this issue causes dynamic linker to not expand $ORIGIN in R*PATH and search for additional dynamic objects starting from the current working directory.  This could allow a local user to escalate their privileges, or cause the program to fail to find required libraries.

Prior to the CVE-2010-3847, it was possible to escalate privileges when privileged program had $ORIGIN in R*PATH.  An attacker needed to have a write access to the file system hosting such binary, to be able to hard-link it to an attacker-controlled directory.  Then the attacker could LD_PRELOAD malicious library from the same directory and execute code with elevated privileges.  This flaw was of limited risk, as setuid/setgid binaries with $ORIGIN in R*PATH seem to be rare (there's no such binary in Red Hat Enterprise Linux).

With the 4b646a51 fix applied, attacker no longer needs write access to the file system with privileged program, and the relative-to-CWD search can be triggered by R*PATHs of depending libraries too.  Even with these loosened requirements, there are currently no privileged programs shipped with Red Hat Enterprise Linux known to be exploitable using this flaw.

To address this issue, 4b646a51 was reverted and the following patch was applied in fedora glibc git branch:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699

Following patch is also required to avoid regressing CVE-2010-3847 fix:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb

Comment 1 Tomas Hoger 2011-01-07 14:55:28 UTC
(In reply to comment #0)
> To address this issue, 4b646a51 was reverted and the following patch was
> applied in fedora glibc git branch:
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699

This fix has not been applied to glibc master branch yet as discussed in the following libc-hacker mailing list thread:
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html

It seems the change was rejected because it removes useful and desired behaviour of having $ORIGIN supported privileged programs' R*PATHs.  The discussion does not seem to mention risks of the feature though.  Andreas, have there been any other off-list discussions of this change?

Comment 2 Tomas Hoger 2011-01-12 08:38:09 UTC
Public now via Debian advisory DSA 2122-2:
http://lists.debian.org/debian-security-announce/2011/msg00005.html

and Ubuntu advisory USN-1009-2:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/001226.html

using patches listed in comment #0.

Comment 5 Tomas Hoger 2011-01-12 10:32:44 UTC
(In reply to comment #0)
> To address this issue, 4b646a51 was reverted and the following patch was
> applied in fedora glibc git branch:
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699

F13 glibc-2.12.2-1 ld.so with this patch applied still searches CWD.

Comment 8 Andreas Schwab 2011-01-12 14:42:05 UTC
If you can create a suid-root program all bets are off.

Comment 9 Tomas Hoger 2011-01-12 15:05:34 UTC
(In reply to comment #8)
> If you can create a suid-root program all bets are off.

There are two cases here:

- problem with gconv that was introduced as part of CVE-2010-3847 fix.  This may lead to privilege escalation if some suid program uses gconv and it's the issue we need to address (e.g. by reverting "Never expand $ORIGIN in privileged programs" and adding "Don't expand DST twice in dl_open")

- second, there are issues that can lead to privilege escalation when you have suid with odd RPATH.  While such suids are not common, users can unintentionally introduce them in their systems and create and exposure that ld.so can (should?) mitigate.  It's probably worth discussing if linked should provide safety net for such cases, or these can be ignored as way too uncommon to be worth changing current status quo.  Hence I've created upstream bug that can be used to discuss if current behaviour is appropriate or not:
  http://sourceware.org/bugzilla/show_bug.cgi?id=12393

Comment 12 Tomas Hoger 2011-04-03 20:24:51 UTC
Raising impact rating to important.  Additional exploitation vectors have been demonstrated, which affect common configurations.

Comment 13 errata-xmlrpc 2011-04-04 20:06:33 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html

Comment 14 errata-xmlrpc 2011-04-04 20:22:30 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0413 https://rhn.redhat.com/errata/RHSA-2011-0413.html

Comment 15 Leif Nixon 2011-04-05 18:26:43 UTC
(In reply to comment #12)
> Raising impact rating to important.  Additional exploitation vectors have been
> demonstrated, which affect common configurations.

Will these vectors be disclosed at some point? When?

Comment 16 Tomas Hoger 2011-04-06 07:20:11 UTC
(In reply to comment #15)

> Will these vectors be disclosed at some point? When?

Reporter indicated an intention to make exploit public after waiting some time to give users and downstream distros an opportunity to pick up the fix.


Note You need to log in before you can comment on or make changes to this bug.