CVE-2010-3847

Current Description

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

Referenced by CVEs:CVE-2011-0536, CVE-2011-1658

Basic Data

PublishedJanuary 07, 2011
Last ModifiedOctober 10, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-59
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score6.9
SeverityMEDIUM
Exploitability Score3.4
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationGnuGlibc1.00*******
    2.3ApplicationGnuGlibc1.01*******
    2.3ApplicationGnuGlibc1.02*******
    2.3ApplicationGnuGlibc1.03*******
    2.3ApplicationGnuGlibc1.04*******
    2.3ApplicationGnuGlibc1.05*******
    2.3ApplicationGnuGlibc1.06*******
    2.3ApplicationGnuGlibc1.07*******
    2.3ApplicationGnuGlibc1.08*******
    2.3ApplicationGnuGlibc1.09*******
    2.3ApplicationGnuGlibc1.09.1*******
    2.3ApplicationGnuGlibc2.0*******
    2.3ApplicationGnuGlibc2.0.1*******
    2.3ApplicationGnuGlibc2.0.2*******
    2.3ApplicationGnuGlibc2.0.3*******
    2.3ApplicationGnuGlibc2.0.4*******
    2.3ApplicationGnuGlibc2.0.5*******
    2.3ApplicationGnuGlibc2.0.6*******
    2.3ApplicationGnuGlibc2.1*******
    2.3ApplicationGnuGlibc2.1.1*******
    2.3ApplicationGnuGlibc2.1.1.6*******
    2.3ApplicationGnuGlibc2.1.2*******
    2.3ApplicationGnuGlibc2.1.3*******
    2.3ApplicationGnuGlibc2.1.3.10*******
    2.3ApplicationGnuGlibc2.1.9*******
    2.3ApplicationGnuGlibc2.2*******
    2.3ApplicationGnuGlibc2.2.1*******
    2.3ApplicationGnuGlibc2.2.2*******
    2.3ApplicationGnuGlibc2.2.3*******
    2.3ApplicationGnuGlibc2.2.4*******
    2.3ApplicationGnuGlibc2.2.5*******
    2.3ApplicationGnuGlibc2.3*******
    2.3ApplicationGnuGlibc2.3.1*******
    2.3ApplicationGnuGlibc2.3.2*******
    2.3ApplicationGnuGlibc2.3.3*******
    2.3ApplicationGnuGlibc2.3.4*******
    2.3ApplicationGnuGlibc2.3.5*******
    2.3ApplicationGnuGlibc2.3.6*******
    2.3ApplicationGnuGlibc2.3.10*******
    2.3ApplicationGnuGlibc2.4*******
    2.3ApplicationGnuGlibc2.5*******
    2.3ApplicationGnuGlibc2.5.1*******
    2.3ApplicationGnuGlibc2.6*******
    2.3ApplicationGnuGlibc2.6.1*******
    2.3ApplicationGnuGlibc2.7*******
    2.3ApplicationGnuGlibc2.8*******
    2.3ApplicationGnuGlibc2.9*******
    2.3ApplicationGnuGlibc2.10*******
    2.3ApplicationGnuGlibc2.10.1*******
    2.3ApplicationGnuGlibc2.10.2*******
    2.3ApplicationGnuGlibc2.11*******
    2.3ApplicationGnuGlibc2.11.1*******
    2.3ApplicationGnuGlibc********2.11.2
    2.3ApplicationGnuGlibc2.12.0*******
    2.3ApplicationGnuGlibc2.12.1*******

Vulnerable Software List

VendorProductVersions
Gnu Glibc *, 1.00, 1.01, 1.02, 1.03, 1.04, 1.05, 1.06, 1.07, 1.08, 1.09, 1.09.1, 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.1, 2.1.1, 2.1.1.6, 2.1.2, 2.1.3, 2.1.3.10, 2.1.9, 2.10, 2.10.1, 2.10.2, 2.11, 2.11.1, 2.12.0, 2.12.1, 2.2, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3, 2.3.1, 2.3.10, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.4, 2.5, 2.5.1, 2.6, 2.6.1, 2.7, 2.8, 2.9

References

NameSourceURLTags
20101018 The GNU C library dynamic linker expands $ORIGIN in setuid library search pathhttp://seclists.org/fulldisclosure/2010/Oct/257FULLDISCExploit
20101019 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search pathhttp://seclists.org/fulldisclosure/2010/Oct/292FULLDISC
20101020 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search pathhttp://seclists.org/fulldisclosure/2010/Oct/294FULLDISC
42787http://secunia.com/advisories/42787SECUNIAVendor Advisory
GLSA-201011-01http://security.gentoo.org/glsa/glsa-201011-01.xmlGENTOO
[libc-hacker] 20101018 [PATCH] Never expand $ORIGIN in privileged programshttp://sourceware.org/ml/libc-hacker/2010-10/msg00007.htmlMLISTPATCH
http://support.avaya.com/css/P8/documents/100120941http://support.avaya.com/css/P8/documents/100120941CONFIRM
DSA-2122http://www.debian.org/security/2010/dsa-2122DEBIAN
VU#537223http://www.kb.cert.org/vuls/id/537223CERT-VNUS Government Resource
MDVSA-2010:207http://www.mandriva.com/security/advisories?name=MDVSA-2010:207MANDRIVA
RHSA-2010:0872http://www.redhat.com/support/errata/RHSA-2010-0872.htmlREDHAT
20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldaphttp://www.securityfocus.com/archive/1/515545/100/0/threadedBUGTRAQ
44154http://www.securityfocus.com/bid/44154BID
USN-1009-1http://www.ubuntu.com/usn/USN-1009-1UBUNTU
http://www.vmware.com/security/advisories/VMSA-2011-0001.htmlhttp://www.vmware.com/security/advisories/VMSA-2011-0001.htmlCONFIRM
ADV-2011-0025http://www.vupen.com/english/advisories/2011/0025VUPENVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=643306https://bugzilla.redhat.com/show_bug.cgi?id=643306CONFIRMPATCH
SUSE-SA:2010:052https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.htmlSUSE
RHSA-2010:0787https://rhn.redhat.com/errata/RHSA-2010-0787.htmlREDHAT
44024https://www.exploit-db.com/exploits/44024/EXPLOIT-DB
44025https://www.exploit-db.com/exploits/44025/EXPLOIT-DB