Root privileges through vulnerability in GNU C loader
A vulnerability in the library loader of the GNU C library can be exploited to obtain root privileges under Linux and other systems. Attackers could exploit the hole, for instance, to gain full control of a system by escalating their privileges after breaking into a web server with restricted access rights. Various distributors are already working on updates.
The loading of dynamically linked libraries when starting applications with Set User ID (SUID) privileges has always been a potential security issue. For example an attacker might set a path to a crafted library for the LD_PRELOAD environment variable, start an SUID program and have the library executed at the same privilege level as the SUID program. For this reason, various security measures and restrictions are in place to prevent applications from loading arbitrary further libraries, for instance, by adding path information.
The new problem is rooted in the way in which the loader expands the $ORIGINS variable submitted by the application. $ORIGIN allows library paths to be stated relative to an application's location. This allows libraries that are used infrequently to be located in the application's subdirectory instead of the standard library path. While Tavis Ormandy, who discovered the hole, said that the ELF specification recommends that the loader is to ignore $ORIGIN with SUID and SGID binaries, it appears that the glibc developers haven't implemented this recommendation.
Using various tricks involving hard links, redirected file descriptors and environment variables, Ormandy managed to exploit the vulnerability and open a shell at root privilege level. According to the developer's tests, at least glibc versions 2.12.1 under Fedora 13 and 2.5 under Red Hat Enterprise Linux (RHEL) 5 are vulnerable. When tested by The H's associates at heise Security, however, a (64-bit) installation of Ubuntu 10.04 appeared unaffected. However, Ormandy writes in his report that the hole can be exploited in a variety of ways.