Bug 643306 - (CVE-2010-3847) CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs
CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setui...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,source=vendor-sec,re...
: Security
Depends On: 643816 643817 643818 643819 643821 643822 643951
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-15 04:58 EDT by Tomas Hoger
Modified: 2016-02-04 01:48 EST (History)
32 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-11 03:13:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Don't expand DST twice in dl_open (1.75 KB, text/plain)
2010-10-18 07:30 EDT, Andreas Schwab
no flags Details
Never expand $ORIGIN in privileged programs (2.34 KB, text/plain)
2010-10-18 08:14 EDT, Andreas Schwab
no flags Details

  None (edit)
Description Tomas Hoger 2010-10-15 04:58:02 EDT
Tavis Ormandy pointed out that glibc does not follow ELF specification recommendation that $ORIGIN expansion should not be performed for setuid/setgid programs.  Tavis quoted:

http://web.archive.org/web/20041026003725/http://www.caldera.com/developers/gabi/2003-12-17/ch5.dynamic.html

  For security, the dynamic linker does not allow use of $ORIGIN substitution
  sequences for set-user and set-group ID programs. For such sequences that
  appear within strings specified by DT_RUNPATH dynamic array entries, the
  specific search path containing the $ORIGIN sequence is ignored (though other
  search paths in the same string are processed). $ORIGIN sequences within a
  DT_NEEDED entry or path passed as a parameter to dlopen() are treated as
  errors. The same restrictions may be applied to processes that have more than
  minimal privileges on systems with installed extended security mechanisms.

Tavis showed that it's possible to escalate privileges by forcing $ORIGIN expansion from LD_AUDIT (which is supposed to be ignored for setuid/setgid binaries, it's listed in UNSECURE_ENVVARS).

Acknowledgements:

Red Hat would like to thank Tavis Ormandy for reporting this issue.
Comment 20 Tomas Hoger 2010-10-18 07:09:26 EDT
Public now via:
  http://seclists.org/fulldisclosure/2010/Oct/257

For this attack, local user needs to be able to create hard link to a setuid or setgid binary in the attacker-controlled directory.  Separating setuid binaries and user-writeable directories to different file systems mitigates this issue.  Tavis' advisory provides temporary mitigation steps that can be used in cases where such split is not used at the moment and can not be implemented.

Auditing API for the dynmic linker is not implemented in the glibc versions in Red Hat Enterprise Linux 3 and 4.  Attack described by Tavis using $ORIGIN in LD_AUDIT does not affect those versions.
Comment 22 Andreas Schwab 2010-10-18 07:30:32 EDT
Created attachment 454089 [details]
Don't expand DST twice in dl_open
Comment 26 Andreas Schwab 2010-10-18 08:14:55 EDT
Created attachment 454096 [details]
Never expand $ORIGIN in privileged programs
Comment 27 Roberto Yokota 2010-10-18 10:45:53 EDT
Andreas,

Is this the definitive fix ?

Regards,

Roberto Yokota
Comment 29 Roberto Yokota 2010-10-18 11:11:30 EDT
Thanks Andreas !
Comment 30 Tomas Hoger 2010-10-18 11:51:44 EDT
Created glibc tracking bugs for this issue

Affects: fedora-all [bug 643951]
Comment 31 Leif Nixon 2010-10-19 10:52:26 EDT
Is Andreas' patch in comment 22 really relevant here?
Comment 32 errata-xmlrpc 2010-10-20 19:27:42 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0787 https://rhn.redhat.com/errata/RHSA-2010-0787.html
Comment 37 errata-xmlrpc 2010-11-10 13:57:31 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2010:0872 https://rhn.redhat.com/errata/RHSA-2010-0872.html

Note You need to log in before you can comment on or make changes to this bug.