This module attempts to gain root privileges on Linux systems by abusing
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the `LD_AUDIT` environment variable when loading
setuid executables which allows control over the `$ORIGIN` library search
path resulting in execution of arbitrary shared objects.
This module opens a file descriptor to the specified suid executable via
a hard link, then replaces the hard link with a shared object before
instructing the linker to execute the file descriptor, resulting in
arbitrary code execution.
The specified setuid binary must be readable and located on the same
file system partition as the specified writable directory.
This module has been tested successfully on:
glibc 2.5 on CentOS 5.4 (x86_64);
glibc 2.5 on CentOS 5.5 (x86_64);
glibc 2.12 on Fedora 13 (i386); and
glibc 2.5-49 on RHEL 5.5 (x86_64).
Some versions of `ld.so`, such as the version shipped with Ubuntu 14,
hit a failed assertion in `dl_open_worker` causing exploitation to fail.
- Tavis Ormandy
- bcoles <firstname.lastname@example.org>