module
glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
| Disclosed | Created |
|---|---|
| 2010-10-18 | 2018-06-14 |
Disclosed
2010-10-18
Created
2018-06-14
Description
This module attempts to gain root privileges on Linux systems by abusing
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the LD_AUDIT environment variable when loading
setuid executables. This allows loading arbitrary shared objects from
the trusted library search path with the privileges of the suid user.
This module uses LD_AUDIT to load the libpcprofile.so shared object,
distributed with some versions of glibc, and leverages arbitrary file
creation functionality in the library constructor to write a root-owned
world-writable file to a system trusted search path (usually /lib).
The file is then overwritten with a shared object then loaded with
LD_AUDIT resulting in arbitrary code execution.
This module has been tested successfully on glibc version 2.11.1 on
Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.
RHEL 5 is reportedly affected, but untested. Some glibc distributions
do not contain the libpcprofile.so library required for successful
exploitation.
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the LD_AUDIT environment variable when loading
setuid executables. This allows loading arbitrary shared objects from
the trusted library search path with the privileges of the suid user.
This module uses LD_AUDIT to load the libpcprofile.so shared object,
distributed with some versions of glibc, and leverages arbitrary file
creation functionality in the library constructor to write a root-owned
world-writable file to a system trusted search path (usually /lib).
The file is then overwritten with a shared object then loaded with
LD_AUDIT resulting in arbitrary code execution.
This module has been tested successfully on glibc version 2.11.1 on
Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386.
RHEL 5 is reportedly affected, but untested. Some glibc distributions
do not contain the libpcprofile.so library required for successful
exploitation.
Authors
Tavis Ormandy
zx2c4
Marco Ivaldi
Todor Donev
bcoles bcoles@gmail.com
zx2c4
Marco Ivaldi
Todor Donev
bcoles bcoles@gmail.com
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.