SECURITY: glibc local root exploit

Thomas 'Balu' Walter tw at itreff.de
Mon Sep 4 01:54:04 PDT 2000


>From debian-security-advisory
(http://www.debian.org/security/2000/20000902):

Recently two problems have been found in the glibc-suite, which could be
used to trick setuid applications to run arbitrary code.

The first problem is the way ld.so handles environment variables: in
order to provide a safe environment for setuid applications it removes
certain the environment variables that can influence application
execution such as LD_PRELOAD and LD_LIBRARY_PATH. Unfortunately there
was a bug that could cause ld.so to not remove them under some
conditions. This would affect setuid applications if they execute
another binary without dropping privileges or cleaning up the
environment themselves.  

The second problem is the locale handling in glibc. glibc checks for
characters like `/' in the LANG and LC_* environment variables to see if
someone is trying to trick a program into reading arbitrary files.
Unfortunately there were some logic errors in those checks which could
be used to make a setuid application use arbitrary files for
localization settings, which can be exploited to trick it into executing
arbitrary code. 

A diff to glibc-2.1.3 can be found  at
http://security.debian.org/dists/potato/updates/main/source/glibc_2.1.3-13.diff.gz

I don't have the time to take a closer look, but I think we should
take it seriously...

     Balu





More information about the lfs-dev mailing list