It was discovered that 398 / Red Hat Directory Server set LD_LIBRARY_PATH environment variable to insecure value containing empty path elements in various shell scripts used by DS (e.g. various backup/restore scripts instantiated for each DS instance, as well as the main initialization script). Such LD_LIBRARY_PATH setting causes ld.so dynamic linker to perform library search relative to the current working directory before searching system library directories. A local attacker able to trick a user running those scripts (usually the root user) to run them while working from an attacker writeable directory could use this flaw to escalate their privileges via specially crated dynamic library.
Examples include: - dirsrv init script LD_LIBRARY_PATH=/usr/lib/dirsrv::/usr/lib - ldap-agent LIB_DIR=::: LD_LIBRARY_PATH=${LIB_DIR} - backup scripts LD_LIBRARY_PATH=$prefix/{{SERVER-DIR}}:$prefix:$prefix/usr/lib:$prefix/usr/lib if [ -n "$prefix" ] ; then LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:" fi This issue is result of an expansion of certain configure variables to an empty string.
Most scripts also set SHLIB_PATH to the same value as LD_LIBRARY_PATH. I don't know if HP-UX dynamic linker handles empty paths in SHLIB_PATH in the same way as glibc ld.so does in LD_LIBRARY_PATH. Can anyone with access to HP-UX system verify this? DS scripts usually do SHLIB_PATH=$LD_LIBRARY_PATH or similar, so LD_LIBRARY_PATH fix should resolve most SHLIB_PATH issues too.
This issue has been addressed in following products: Red Hat Directory Server 8 for RHEL 4 Red Hat Directory Server 8 for RHEL 5 Via RHSA-2011:0293 https://rhn.redhat.com/errata/RHSA-2011-0293.html