exploit the possibilities
Showing 1 - 11 of 11 RSS Feed

CVE-2010-3847

Status Candidate

Overview

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

Related Files

glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
Posted Mar 30, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusage.so library.

tags | exploit, root
systems | linux
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 82d002207d92e79c81d147d0cbc73594
glibc '$ORIGIN' Expansion Privilege Escalation
Posted Feb 10, 2018
Authored by Tavis Ormandy, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN library search path resulting in execution of arbitrary shared objects. This Metasploit module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This Metasploit module has been tested successfully on glibc version 2.5 on CentOS 5.4 (x86_64), 2.5 on CentOS 5.5 (x86_64) and 2.12 on Fedora 13 (i386). RHEL 5 is reportedly affected, but untested. Some versions of ld.so hit a failed assertion in dl_open_worker causing exploitation to fail.

tags | exploit, arbitrary, root, code execution
systems | linux, fedora, centos
advisories | CVE-2010-3847
MD5 | e8b55dc3fe5f3080c962d9dabae028c4
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
Posted Feb 10, 2018
Authored by Marco Ivaldi, Tavis Ormandy, Todor Donev, zx2c4, Brendan Coles | Site metasploit.com

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This Metasploit module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This Metasploit module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

tags | exploit, arbitrary, root, code execution
systems | linux, debian, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 2bf9e1106acf9e1f0a7b618fe7f2da3f
Gentoo Linux Security Advisory 201312-01
Posted Dec 4, 2013
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201312-1 - Multiple vulnerabilities have been found in GNU C Library, the worst of which allowing arbitrary code execution and privilege escalation. Versions less than 2.15-r3 are affected.

tags | advisory, arbitrary, vulnerability, code execution
systems | linux, gentoo
advisories | CVE-2009-5029, CVE-2010-3847, CVE-2011-0536, CVE-2011-1071, CVE-2011-1089, CVE-2011-1095, CVE-2011-1658, CVE-2011-1659, CVE-2012-0864
MD5 | 77cadf36eb4b2421f849762d1c81eeeb
Debian Security Advisory 2122-2
Posted Jan 12, 2011
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2122-2 - Colin Watson discovered that the update for stable released in DSA-2122-1 did not complete address the underlying security issue in all possible scenarios.

tags | advisory
systems | linux, debian
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 1614690068b7a0c1dc543ac37531eeca
VMware Security Advisory 2011-0001
Posted Jan 6, 2011
Authored by VMware | Site vmware.com

VMware Security Advisory 2011-0001 - ESX 4.0 Service Console OS (COS) updates for glibc, sudo, and openldap packages.

tags | advisory
advisories | CVE-2010-0211, CVE-2010-0212, CVE-2010-2956, CVE-2010-3847, CVE-2010-3856
MD5 | 885d7ccf5915c856af898922a2b80e13
Gentoo Linux Security Advisory 201011-01
Posted Nov 16, 2010
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201011-1 - Multiple vulnerabilities were found in glibc, the worst of which allowing local attackers to execute arbitrary code as root. Multiple vulnerabilities were found in glibc, amongst others the widely-known recent LD_AUDIT and $ORIGIN issues. For further information please consult the CVE entries referenced below. Versions less than 2.11.2-r3 are affected.

tags | advisory, arbitrary, local, root, vulnerability
systems | linux, gentoo
advisories | CVE-2009-4880, CVE-2009-4881, CVE-2010-0296, CVE-2010-0830, CVE-2010-3847, CVE-2010-3856
MD5 | 5cea4225da35cf3fb30d0ffed4cc46a2
Ubuntu Security Notice 1009-1
Posted Oct 27, 2010
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1009-1 - Tavis Ormandy discovered multiple flaws in the GNU C Library's handling of the LD_AUDIT environment variable when running a privileged binary. A local attacker could exploit this to gain root privileges.

tags | advisory, local, root
systems | linux, ubuntu
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | f9a7f5b0ad053bed71d722c917ea4c87
Debian Linux Security Advisory 2122-1
Posted Oct 22, 2010
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2122-1 - Ben Hawkes and Tavis Ormandy discovered that the dynamic loader in GNU libc allows local users to gain root privileges using a crafted LD_AUDIT environment variable.

tags | advisory, local, root
systems | linux, debian
advisories | CVE-2010-3847, CVE-2010-3856
MD5 | 63caa486471c8f786f73a386441d0b72
Mandriva Linux Security Advisory 2010-207
Posted Oct 20, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-207 - A vulnerability in the GNU C library was discovered which could escalate the privileges for local users.

tags | advisory, local
systems | linux, mandriva
advisories | CVE-2010-3847
MD5 | eca357f574d6f5078d4c4e08e372c6ea
GNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability
Posted Oct 19, 2010
Authored by Tavis Ormandy

The GNU C library dynamic linker suffers from an $ORIGIN expansion vulnerability.

tags | exploit
advisories | CVE-2010-3847
MD5 | f2e84353fe16194342b73b40025a36f6
Page 1 of 1
Back1Next

File Archive:

November 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    2 Files
  • 2
    Nov 2nd
    9 Files
  • 3
    Nov 3rd
    15 Files
  • 4
    Nov 4th
    90 Files
  • 5
    Nov 5th
    22 Files
  • 6
    Nov 6th
    16 Files
  • 7
    Nov 7th
    1 Files
  • 8
    Nov 8th
    1 Files
  • 9
    Nov 9th
    40 Files
  • 10
    Nov 10th
    27 Files
  • 11
    Nov 11th
    28 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    18 Files
  • 14
    Nov 14th
    2 Files
  • 15
    Nov 15th
    2 Files
  • 16
    Nov 16th
    29 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    15 Files
  • 19
    Nov 19th
    21 Files
  • 20
    Nov 20th
    16 Files
  • 21
    Nov 21st
    1 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    19 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close