Bug 672468 (CVE-2011-0532) - CVE-2011-0532 Directory Server: use of insecure LD_LIBRARY_PATH settings
Summary: CVE-2011-0532 Directory Server: use of insecure LD_LIBRARY_PATH settings
Status: CLOSED ERRATA
Alias: CVE-2011-0532
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,source=redhat,reported=201...
Keywords: Security
Depends On: 670922
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-25 08:08 UTC by Tomas Hoger
Modified: 2019-06-08 18:43 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-07-22 07:58:21 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0293 normal SHIPPED_LIVE Moderate: Red Hat Directory Server security update 2011-02-22 17:46:00 UTC

Description Tomas Hoger 2011-01-25 08:08:57 UTC
It was discovered that 398 / Red Hat Directory Server set LD_LIBRARY_PATH environment variable to insecure value containing empty path elements in various shell scripts used by DS (e.g. various backup/restore scripts instantiated for each DS instance, as well as the main initialization script).  Such LD_LIBRARY_PATH setting causes ld.so dynamic linker to perform library search relative to the current working directory before searching system library directories.  A local attacker able to trick a user running those scripts (usually the root user) to run them while working from an attacker writeable directory could use this flaw to escalate their privileges via specially crated dynamic library.

Comment 1 Tomas Hoger 2011-01-25 08:20:45 UTC
Examples include:

- dirsrv init script
  LD_LIBRARY_PATH=/usr/lib/dirsrv::/usr/lib

- ldap-agent
  LIB_DIR=:::
  LD_LIBRARY_PATH=${LIB_DIR}

- backup scripts
  LD_LIBRARY_PATH=$prefix/{{SERVER-DIR}}:$prefix:$prefix/usr/lib:$prefix/usr/lib
  if [ -n "$prefix" ] ; then
    LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:"                                  
  fi

This issue is result of an expansion of certain configure variables to an empty string.

Comment 2 Tomas Hoger 2011-01-25 08:23:30 UTC
Most scripts also set SHLIB_PATH to the same value as LD_LIBRARY_PATH.  I don't know if HP-UX dynamic linker handles empty paths in SHLIB_PATH in the same way as glibc ld.so does in LD_LIBRARY_PATH.  Can anyone with access to HP-UX system verify this?  DS scripts usually do SHLIB_PATH=$LD_LIBRARY_PATH or similar, so LD_LIBRARY_PATH fix should resolve most SHLIB_PATH issues too.

Comment 19 errata-xmlrpc 2011-02-22 17:46:12 UTC
This issue has been addressed in following products:

  Red Hat Directory Server 8 for RHEL 4
  Red Hat Directory Server 8 for RHEL 5

Via RHSA-2011:0293 https://rhn.redhat.com/errata/RHSA-2011-0293.html


Note You need to log in before you can comment on or make changes to this bug.