This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 667974 - (CVE-2011-0536) CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH
CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when runni...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
public=20110111,reported=20101208,sou...
: Reopened, Security
Depends On: 649256 660217 670988 682991 688214 688215 688217 688219
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-07 09:51 EST by Tomas Hoger
Modified: 2016-02-04 01:47 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-11 10:12:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Sourceware 12393 None None None Never

  None (edit)
Description Tomas Hoger 2011-01-07 09:51:17 EST
Following patch was applied to glibc packages to address dynamic linker privilege escalation issue CVE-2010-3847 (see bug #643306):

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c26
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=4b646a51f13fd6816c483fb24c308a13264c6d1a

This change introduced a regression in handling of privileged programs that use $ORIGIN in R*PATH in the binary itself, or any of the depending libraries.  When running such privileged program, this issue causes dynamic linker to not expand $ORIGIN in R*PATH and search for additional dynamic objects starting from the current working directory.  This could allow a local user to escalate their privileges, or cause the program to fail to find required libraries.

Prior to the CVE-2010-3847, it was possible to escalate privileges when privileged program had $ORIGIN in R*PATH.  An attacker needed to have a write access to the file system hosting such binary, to be able to hard-link it to an attacker-controlled directory.  Then the attacker could LD_PRELOAD malicious library from the same directory and execute code with elevated privileges.  This flaw was of limited risk, as setuid/setgid binaries with $ORIGIN in R*PATH seem to be rare (there's no such binary in Red Hat Enterprise Linux).

With the 4b646a51 fix applied, attacker no longer needs write access to the file system with privileged program, and the relative-to-CWD search can be triggered by R*PATHs of depending libraries too.  Even with these loosened requirements, there are currently no privileged programs shipped with Red Hat Enterprise Linux known to be exploitable using this flaw.

To address this issue, 4b646a51 was reverted and the following patch was applied in fedora glibc git branch:
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699

Following patch is also required to avoid regressing CVE-2010-3847 fix:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3847#c22
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=22cd1c9bcf57c5829d65b6da825f7a459d40c9eb
Comment 1 Tomas Hoger 2011-01-07 09:55:28 EST
(In reply to comment #0)
> To address this issue, 4b646a51 was reverted and the following patch was
> applied in fedora glibc git branch:
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699

This fix has not been applied to glibc master branch yet as discussed in the following libc-hacker mailing list thread:
http://sourceware.org/ml/libc-hacker/2010-12/msg00001.html

It seems the change was rejected because it removes useful and desired behaviour of having $ORIGIN supported privileged programs' R*PATHs.  The discussion does not seem to mention risks of the feature though.  Andreas, have there been any other off-list discussions of this change?
Comment 2 Tomas Hoger 2011-01-12 03:38:09 EST
Public now via Debian advisory DSA 2122-2:
http://lists.debian.org/debian-security-announce/2011/msg00005.html

and Ubuntu advisory USN-1009-2:
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-January/001226.html

using patches listed in comment #0.
Comment 5 Tomas Hoger 2011-01-12 05:32:44 EST
(In reply to comment #0)
> To address this issue, 4b646a51 was reverted and the following patch was
> applied in fedora glibc git branch:
> http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=96611391ad8823ba58405325d78cefeae5cdf699

F13 glibc-2.12.2-1 ld.so with this patch applied still searches CWD.
Comment 8 Andreas Schwab 2011-01-12 09:42:05 EST
If you can create a suid-root program all bets are off.
Comment 9 Tomas Hoger 2011-01-12 10:05:34 EST
(In reply to comment #8)
> If you can create a suid-root program all bets are off.

There are two cases here:

- problem with gconv that was introduced as part of CVE-2010-3847 fix.  This may lead to privilege escalation if some suid program uses gconv and it's the issue we need to address (e.g. by reverting "Never expand $ORIGIN in privileged programs" and adding "Don't expand DST twice in dl_open")

- second, there are issues that can lead to privilege escalation when you have suid with odd RPATH.  While such suids are not common, users can unintentionally introduce them in their systems and create and exposure that ld.so can (should?) mitigate.  It's probably worth discussing if linked should provide safety net for such cases, or these can be ignored as way too uncommon to be worth changing current status quo.  Hence I've created upstream bug that can be used to discuss if current behaviour is appropriate or not:
  http://sourceware.org/bugzilla/show_bug.cgi?id=12393
Comment 12 Tomas Hoger 2011-04-03 16:24:51 EDT
Raising impact rating to important.  Additional exploitation vectors have been demonstrated, which affect common configurations.
Comment 13 errata-xmlrpc 2011-04-04 16:06:33 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0412 https://rhn.redhat.com/errata/RHSA-2011-0412.html
Comment 14 errata-xmlrpc 2011-04-04 16:22:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0413 https://rhn.redhat.com/errata/RHSA-2011-0413.html
Comment 15 Leif Nixon 2011-04-05 14:26:43 EDT
(In reply to comment #12)
> Raising impact rating to important.  Additional exploitation vectors have been
> demonstrated, which affect common configurations.

Will these vectors be disclosed at some point? When?
Comment 16 Tomas Hoger 2011-04-06 03:20:11 EDT
(In reply to comment #15)

> Will these vectors be disclosed at some point? When?

Reporter indicated an intention to make exploit public after waiting some time to give users and downstream distros an opportunity to pick up the fix.

Note You need to log in before you can comment on or make changes to this bug.