module
glibc '$ORIGIN' Expansion Privilege Escalation
| Disclosed | Created |
|---|---|
| Oct 18, 2010 | Jun 14, 2018 |
Disclosed
Oct 18, 2010
Created
Jun 14, 2018
Description
This module attempts to gain root privileges on Linux systems by abusing
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the `LD_AUDIT` environment variable when loading
setuid executables which allows control over the `$ORIGIN` library search
path resulting in execution of arbitrary shared objects.
This module opens a file descriptor to the specified suid executable via
a hard link, then replaces the hard link with a shared object before
instructing the linker to execute the file descriptor, resulting in
arbitrary code execution.
The specified setuid binary must be readable and located on the same
file system partition as the specified writable directory.
This module has been tested successfully on:
glibc 2.5 on CentOS 5.4 (x86_64);
glibc 2.5 on CentOS 5.5 (x86_64);
glibc 2.12 on Fedora 13 (i386); and
glibc 2.5-49 on RHEL 5.5 (x86_64).
Some versions of `ld.so`, such as the version shipped with Ubuntu 14,
hit a failed assertion in `dl_open_worker` causing exploitation to fail.
a vulnerability in the GNU C Library (glibc) dynamic linker.
glibc `ld.so` versions before 2.11.3, and 2.12.x before 2.12.2 does not
properly restrict use of the `LD_AUDIT` environment variable when loading
setuid executables which allows control over the `$ORIGIN` library search
path resulting in execution of arbitrary shared objects.
This module opens a file descriptor to the specified suid executable via
a hard link, then replaces the hard link with a shared object before
instructing the linker to execute the file descriptor, resulting in
arbitrary code execution.
The specified setuid binary must be readable and located on the same
file system partition as the specified writable directory.
This module has been tested successfully on:
glibc 2.5 on CentOS 5.4 (x86_64);
glibc 2.5 on CentOS 5.5 (x86_64);
glibc 2.12 on Fedora 13 (i386); and
glibc 2.5-49 on RHEL 5.5 (x86_64).
Some versions of `ld.so`, such as the version shipped with Ubuntu 14,
hit a failed assertion in `dl_open_worker` causing exploitation to fail.
Authors
Tavis Ormandy
bcoles bcoles@gmail.com
bcoles bcoles@gmail.com
Platform
Linux
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.