Rapid7 Vulnerability & Exploit Database

glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation

Back to Search

glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation

Disclosed
10/18/2010
Created
06/14/2018

Description

This module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker. glibc ld.so in versions before 2.11.3, and 2.12.x before 2.12.2 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables. This allows loading arbitrary shared objects from the trusted library search path with the privileges of the suid user. This module uses LD_AUDIT to load the libpcprofile.so shared object, distributed with some versions of glibc, and leverages arbitrary file creation functionality in the library constructor to write a root-owned world-writable file to a system trusted search path (usually /lib). The file is then overwritten with a shared object then loaded with LD_AUDIT resulting in arbitrary code execution. This module has been tested successfully on glibc version 2.11.1 on Ubuntu 10.04 x86_64 and version 2.7 on Debian 5.0.4 i386. RHEL 5 is reportedly affected, but untested. Some glibc distributions do not contain the libpcprofile.so library required for successful exploitation.

Author(s)

  • Tavis Ormandy
  • zx2c4
  • Marco Ivaldi
  • Todor Donev
  • bcoles <bcoles@gmail.com>

Platform

Linux

Architectures

x86, x64

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/linux/local/glibc_ld_audit_dso_load_priv_esc
msf exploit(glibc_ld_audit_dso_load_priv_esc) > show targets
    ...targets...
msf exploit(glibc_ld_audit_dso_load_priv_esc) > set TARGET < target-id >
msf exploit(glibc_ld_audit_dso_load_priv_esc) > show options
    ...show and set options...
msf exploit(glibc_ld_audit_dso_load_priv_esc) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;