CVE-2010-3847

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

CVSS v2.0 6.9 MEDIUM

6.9^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 3.4 / Impact : 10.0

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.vmware.com/security/advisories/VMSA-2011-0001.html
http://seclists.org/fulldisclosure/2010/Oct/292
http://seclists.org/fulldisclosure/2010/Oct/257	Exploit
http://seclists.org/fulldisclosure/2010/Oct/294
https://bugzilla.redhat.com/show_bug.cgi?id=643306	Patch
https://rhn.redhat.com/errata/RHSA-2010-0787.html
http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html	Patch
http://www.vupen.com/english/advisories/2011/0025	Vendor Advisory
http://www.kb.cert.org/vuls/id/537223	US Government Resource
http://www.debian.org/security/2010/dsa-2122
http://www.ubuntu.com/usn/USN-1009-1
http://www.redhat.com/support/errata/RHSA-2010-0872.html
http://secunia.com/advisories/42787	Vendor Advisory
http://support.avaya.com/css/P8/documents/100120941
http://security.gentoo.org/glsa/glsa-201011-01.xml
http://www.securityfocus.com/bid/44154
http://www.mandriva.com/security/advisories?name=MDVSA-2010:207
https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html
https://www.exploit-db.com/exploits/44025/
https://www.exploit-db.com/exploits/44024/
http://www.securityfocus.com/archive/1/515545/100/0/threaded

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gnu:glibc:2.2.2:::::::*
	cpe:2.3:a:gnu:glibc:2.9:::::::*
	cpe:2.3:a:gnu:glibc:2.7:::::::*
	cpe:2.3:a:gnu:glibc:2.1.2:::::::*
	cpe:2.3:a:gnu:glibc:2.11:::::::*
	cpe:2.3:a:gnu:glibc:2.0.5:::::::*
	cpe:2.3:a:gnu:glibc:2.2.5:::::::*
	cpe:2.3:a:gnu:glibc:2.0.6:::::::*
	cpe:2.3:a:gnu:glibc:2.10.1:::::::*
	cpe:2.3:a:gnu:glibc:1.00:::::::*
	cpe:2.3:a:gnu:glibc:1.06:::::::*
	cpe:2.3:a:gnu:glibc:2.1.1:::::::*
	cpe:2.3:a:gnu:glibc:1.02:::::::*
	cpe:2.3:a:gnu:glibc:2.0.3:::::::*
	cpe:2.3:a:gnu:glibc:1.07:::::::*
	cpe:2.3:a:gnu:glibc:2.3.1:::::::*
	cpe:2.3:a:gnu:glibc:2.3:::::::*
	cpe:2.3:a:gnu:glibc:2.12.0:::::::*
	cpe:2.3:a:gnu:glibc:2.0:::::::*
	cpe:2.3:a:gnu:glibc:2.1.1.6:::::::*
	cpe:2.3:a:gnu:glibc:1.04:::::::*
	cpe:2.3:a:gnu:glibc:1.01:::::::*
	cpe:2.3:a:gnu:glibc:2.3.10:::::::*
	cpe:2.3:a:gnu:glibc:2.4:::::::*
	cpe:2.3:a:gnu:glibc:2.1:::::::*
	cpe:2.3:a:gnu:glibc:2.3.4:::::::*
	cpe:2.3:a:gnu:glibc:1.09.1:::::::*
	cpe:2.3:a:gnu:glibc:2.1.9:::::::*
	cpe:2.3:a:gnu:glibc:2.3.3:::::::*
	cpe:2.3:a:gnu:glibc:2.12.1:::::::*
	cpe:2.3:a:gnu:glibc:2.6.1:::::::*
	cpe:2.3:a:gnu:glibc:2.0.1:::::::*
	cpe:2.3:a:gnu:glibc:1.09:::::::*
	cpe:2.3:a:gnu:glibc:2.10:::::::*
	cpe:2.3:a:gnu:glibc:2.5.1:::::::*
	cpe:2.3:a:gnu:glibc:2.6:::::::*
	cpe:2.3:a:gnu:glibc:2.0.4:::::::*
	cpe:2.3:a:gnu:glibc:2.0.2:::::::*
	cpe:2.3:a:gnu:glibc:2.2.1:::::::*
	cpe:2.3:a:gnu:glibc:2.3.2:::::::*
	cpe:2.3:a:gnu:glibc:1.03:::::::*
	cpe:2.3:a:gnu:glibc:2.1.3.10:::::::*
	cpe:2.3:a:gnu:glibc:2.3.6:::::::*
	cpe:2.3:a:gnu:glibc:2.2.3:::::::*
	cpe:2.3:a:gnu:glibc:2.5:::::::*
	cpe:2.3:a:gnu:glibc:1.08:::::::*
	cpe:2.3:a:gnu:glibc:2.3.5:::::::*
	cpe:2.3:a:gnu:glibc:2.8:::::::*
	cpe:2.3:a:gnu:glibc:2.11.1:::::::*
	cpe:2.3:a:gnu:glibc:2.2.4:::::::*
	cpe:2.3:a:gnu:glibc:2.1.3:::::::*
	cpe:2.3:a:gnu:glibc::::::::
	cpe:2.3:a:gnu:glibc:1.05:::::::*
	cpe:2.3:a:gnu:glibc:2.2:::::::*
	cpe:2.3:a:gnu:glibc:2.10.2:::::::*

Information

Published : 2011-01-07 11:00

Updated : 2023-02-12 20:26

NVD link : CVE-2010-3847

Mitre link : CVE-2010-3847

JSON object : View

CWE

CWE-59

Improper Link Resolution Before File Access ('Link Following')

Products Affected

gnu

glibc

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.vmware.com/security/advisories/VMSA-2011-0001.html", "name": "http://www.vmware.com/security/advisories/VMSA-2011-0001.html", "tags": [], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2010/Oct/292", "name": "20101019 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path", "tags": [], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2010/Oct/257", "name": "20101018 The GNU C library dynamic linker expands $ORIGIN in setuid library search path", "tags": ["Exploit"], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2010/Oct/294", "name": "20101020 Re: The GNU C library dynamic linker expands $ORIGIN in setuid library search path", "tags": [], "refsource": "FULLDISC"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=643306", "name": "https://bugzilla.redhat.com/show_bug.cgi?id=643306", "tags": ["Patch"], "refsource": "CONFIRM"}, {"url": "https://rhn.redhat.com/errata/RHSA-2010-0787.html", "name": "RHSA-2010:0787", "tags": [], "refsource": "REDHAT"}, {"url": "http://sourceware.org/ml/libc-hacker/2010-10/msg00007.html", "name": "[libc-hacker] 20101018 [PATCH] Never expand $ORIGIN in privileged programs", "tags": ["Patch"], "refsource": "MLIST"}, {"url": "http://www.vupen.com/english/advisories/2011/0025", "name": "ADV-2011-0025", "tags": ["Vendor Advisory"], "refsource": "VUPEN"}, {"url": "http://www.kb.cert.org/vuls/id/537223", "name": "VU#537223", "tags": ["US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.debian.org/security/2010/dsa-2122", "name": "DSA-2122", "tags": [], "refsource": "DEBIAN"}, {"url": "http://www.ubuntu.com/usn/USN-1009-1", "name": "USN-1009-1", "tags": [], "refsource": "UBUNTU"}, {"url": "http://www.redhat.com/support/errata/RHSA-2010-0872.html", "name": "RHSA-2010:0872", "tags": [], "refsource": "REDHAT"}, {"url": "http://secunia.com/advisories/42787", "name": "42787", "tags": ["Vendor Advisory"], "refsource": "SECUNIA"}, {"url": "http://support.avaya.com/css/P8/documents/100120941", "name": "http://support.avaya.com/css/P8/documents/100120941", "tags": [], "refsource": "CONFIRM"}, {"url": "http://security.gentoo.org/glsa/glsa-201011-01.xml", "name": "GLSA-201011-01", "tags": [], "refsource": "GENTOO"}, {"url": "http://www.securityfocus.com/bid/44154", "name": "44154", "tags": [], "refsource": "BID"}, {"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2010:207", "name": "MDVSA-2010:207", "tags": [], "refsource": "MANDRIVA"}, {"url": "https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.html", "name": "SUSE-SA:2010:052", "tags": [], "refsource": "SUSE"}, {"url": "https://www.exploit-db.com/exploits/44025/", "name": "44025", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "https://www.exploit-db.com/exploits/44024/", "name": "44024", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/archive/1/515545/100/0/threaded", "name": "20110105 VMSA-2011-0001 VMware ESX third party updates for Service Console packages glibc, sudo, and openldap", "tags": [], "refsource": "BUGTRAQ"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-59"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2010-3847", "ASSIGNER": "secalert@redhat.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 6.9, "accessVector": "LOCAL", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "MEDIUM", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.4, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2011-01-07T19:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.11:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.2.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.10.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.00:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.06:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.02:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.07:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.12.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1.1.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.04:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.01:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.09.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1.9:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.12.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.6.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.09:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.5.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.03:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1.3.10:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.2.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.08:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.3.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.8:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.11.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.2.4:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.1.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "2.11.2"}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:1.05:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:gnu:glibc:2.10.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2023-02-13T04:26Z"}

6.9 /10