CVE-2010-3847 - Improper Link Resolution Before File Access ('Link Following')

Severity

69%

Complexity

34%

Confidentiality

165%

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

CVSS 2.0 Base Score 6.9. CVSS Attack Vector: local. CVSS Attack Complexity: medium. CVSS Vector: (AV:L/AC:M/Au:N/C:C/I:C/A:C).

Overview

First reported 14 years ago

2011-01-07 19:00:00

Last updated 6 years ago

2018-10-10 20:05:00

Affected Software

GNU glibc 1.00

1.00

GNU glibc 1.01

1.01

GNU glibc 1.02

1.02

GNU glibc 1.03

1.03

GNU glibc 1.04

1.04

GNU glibc 1.05

1.05

GNU glibc 1.06

1.06

GNU glibc 1.07

1.07

GNU glibc 1.08

1.08

GNU glibc 1.09

1.09

GNU glibc 1.09.1

1.09.1

GNU glibc 2.0

2.0

GNU glibc 2.0.1

2.0.1

GNU glibc 2.0.2

2.0.2

GNU glibc 2.0.3

2.0.3

GNU glibc 2.0.4

2.0.4

GNU glibc 2.0.5

2.0.5

GNU glibc 2.0.6

2.0.6

GNU glibc 2.1

2.1

GNU glibc 2.1.1

2.1.1

GNU glibc 2.1.1.6

2.1.1.6

GNU glibc 2.1.2

2.1.2

GNU glibc 2.1.3

2.1.3

GNU glibc 2.1.3.10

2.1.3.10

GNU glibc 2.1.9

2.1.9

GNU glibc 2.2

2.2

GNU glibc 2.2.1

2.2.1

GNU glibc 2.2.2

2.2.2

GNU glibc 2.2.3

2.2.3

GNU glibc 2.2.4

2.2.4

GNU glibc 2.2.5

2.2.5

GNU glibc 2.3

2.3

GNU glibc 2.3.1

2.3.1

GNU glibc 2.3.2

2.3.2

GNU glibc 2.3.3

2.3.3

GNU glibc 2.3.4

2.3.4

GNU glibc 2.3.5

2.3.5

GNU glibc 2.3.6

2.3.6

GNU glibc 2.3.10

2.3.10

GNU glibc 2.4

2.4

GNU glibc 2.5

2.5

GNU glibc 2.5.1

2.5.1

GNU glibc 2.6

2.6

GNU glibc 2.6.1

2.6.1

GNU glibc 2.7

2.7

GNU glibc 2.8

2.8

GNU glibc 2.9

2.9

GNU glibc 2.10

2.10

GNU glibc 2.10.1

2.10.1

GNU glibc 2.10.2

2.10.2

GNU glibc 2.11

2.11

GNU glibc 2.11.1

2.11.1

GNU glibc

GNU glibc 2.12.0

2.12.0

GNU glibc 2.12.1

2.12.1

References

20101018 The GNU C library dynamic linker expands $ORIGIN in setuid library search path

Exploit

20101019 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

20101020 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path

42787

Vendor Advisory

GLSA-201011-01

[libc-hacker] 20101018 [PATCH] Never expand $ORIGIN in privileged programs

Patch

http://support.avaya.com/css/P8/documents/100120941

DSA-2122

VU#537223

US Government Resource

MDVSA-2010:207

RHSA-2010:0872

20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap

44154

USN-1009-1

http://www.vmware.com/security/advisories/VMSA-2011-0001.html

ADV-2011-0025

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=643306

Patch

SUSE-SA:2010:052

RHSA-2010:0787

44024

44025

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.