glibc '$ORIGIN' Expansion Privilege Escalation

Description

This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the `LD_AUDIT` environment variable when loading setuid executables which allows control over the `$ORIGIN` library search path resulting in execution of arbitrary shared objects. This module opens a file descriptor to the specified suid executable via a hard link, then replaces the hard link with a shared object before instructing the linker to execute the file descriptor, resulting in arbitrary code execution. The specified setuid binary must be readable and located on the same file system partition as the specified writable directory. This module has been tested successfully on: glibc 2.5 on CentOS 5.4 (x86_64); glibc 2.5 on CentOS 5.5 (x86_64); glibc 2.12 on Fedora 13 (i386); and glibc 2.5-49 on RHEL 5.5 (x86_64). Some versions of `ld.so`, such as the version shipped with Ubuntu 14, hit a failed assertion in `dl_open_worker` causing exploitation to fail.

Author(s)

• Tavis Ormandy
• bcoles <bcoles@gmail.com>

Platform

Linux

Architectures

x86, x64