SECURITY: glibc local root exploit
Thomas 'Balu' Walter
tw at itreff.de
Mon Sep 4 01:54:04 PDT 2000
Recently two problems have been found in the glibc-suite, which could be
used to trick setuid applications to run arbitrary code.
The first problem is the way ld.so handles environment variables: in
order to provide a safe environment for setuid applications it removes
certain the environment variables that can influence application
execution such as LD_PRELOAD and LD_LIBRARY_PATH. Unfortunately there
was a bug that could cause ld.so to not remove them under some
conditions. This would affect setuid applications if they execute
another binary without dropping privileges or cleaning up the
The second problem is the locale handling in glibc. glibc checks for
characters like `/' in the LANG and LC_* environment variables to see if
someone is trying to trick a program into reading arbitrary files.
Unfortunately there were some logic errors in those checks which could
be used to make a setuid application use arbitrary files for
localization settings, which can be exploited to trick it into executing
A diff to glibc-2.1.3 can be found at
I don't have the time to take a closer look, but I think we should
take it seriously...
More information about the lfs-dev