ID CVE-2017-16997
Summary elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
References
Vulnerable Configurations
  • GNU glibc 2.19
    cpe:2.3:a:gnu:glibc:2.19
  • GNU glibc 2.20
    cpe:2.3:a:gnu:glibc:2.20
  • GNU glibc 2.21
    cpe:2.3:a:gnu:glibc:2.21
  • GNU Glibc 2.22
    cpe:2.3:a:gnu:glibc:2.22
  • GNU glibc 2.23
    cpe:2.3:a:gnu:glibc:2.23
  • GNU glibc 2.25
    cpe:2.3:a:gnu:glibc:2.25
  • GNU glibc 2.26
    cpe:2.3:a:gnu:glibc:2.26
CVSS
Base: 9.3
Impact:
Exploitability:
CWE CWE-426
CAPEC
  • Leveraging/Manipulating Configuration File Search Paths
    This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0011-A.NASL
    description An update of {'ruby', 'glibc'} packages of Photon OS has been released.
    last seen 2018-09-02
    modified 2018-07-24
    plugin id 111281
    published 2018-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111281
    title Photon OS 2.0 : ruby / glibc (PhotonOS-PHSA-2018-2.0-0011-(a))
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-8E27AD96ED.NASL
    description This update addresses two security vulnerabilities : - CVE-2017-15670, CVE-2017-15671, CVE-2017-15804: Various vulnerabilities could lead to memory corruption in the `glob` and `glob64` function. (RHBZ#1505298, RHBZ##1504807) - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update replaces the dynamic linker trampoline on x86-64 with a version which uses the `XSAVE` instruction if it is available. This improves compatibility with future hardware and compilers which do not follow the x86-64 ABI. This update also adjusts the thread stack size accounting to provide additional stack space compared to previous glibc versions (to avoid introducing RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-06-13
    plugin id 106281
    published 2018-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106281
    title Fedora 26 : glibc (2018-8e27ad96ed)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3534-1.NASL
    description It was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd(2) syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. (CVE-2018-1000001) A memory leak was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_HWCAP_MASK environment variable, in combination with CVE-2017-1000409 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000408) A heap-based buffer overflow was discovered in the _dl_init_paths() function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_LIBRARY_PATH environment variable, in combination with CVE-2017-1000408 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. (CVE-2017-1000409) An off-by-one error leading to a heap-based buffer overflow was discovered in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15670) A heap-based buffer overflow was discovered during unescaping of user names with the ~ operator in the GNU C library glob() implementation. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code via a maliciously crafted pattern. (CVE-2017-15804) It was discovered that the GNU C library dynamic loader mishandles RPATH and RUNPATH containing $ORIGIN for privileged (setuid or AT_SECURE) programs. A local attacker could potentially exploit this by providing a specially crafted library in the current working directory in order to gain administrative privileges. (CVE-2017-16997) It was discovered that the GNU C library malloc() implementation could return a memory block that is too small if an attempt is made to allocate an object whose size is close to SIZE_MAX, resulting in a heap-based overflow. An attacker could potentially exploit this to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 17.10. (CVE-2017-17426). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 106134
    published 2018-01-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106134
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : eglibc, glibc vulnerabilities (USN-3534-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-0074-1.NASL
    description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-01
    plugin id 106044
    published 2018-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106044
    title SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2018:0074-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-7714B514E2.NASL
    description This update addresses two security vulnerabilities : - CVE-2017-16997: Check for empty tokens before dynamic string token expansion in the dynamic linker, so that pre-existing privileged programs with `$ORIGIN` rpaths/runpaths do not cause the dynamic linker to search the current directory, potentially leading to privilege escalation. (RHBZ#1526866). - CVE-2018-1000001: `getcwd` would sometimes return a non-absolute path, confusing the `realpath` function, leading to privilege escalation in conjunction with user namespaces. (RHBZ#1533837) In addition, this update changes the thread stack size accounting to provide additional stack space compared to previous glibc versions. For some applications (`nptd` in particular), the `PTHREAD_STACK_MIN` stack size was too small on x86-64 machines with AVX-512 support (RHBZ#1527887). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-06-13
    plugin id 106279
    published 2018-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106279
    title Fedora 27 : glibc (2018-7714b514e2)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201804-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-201804-02 (glibc: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in glibc. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly execute arbitrary code, escalate privileges, cause a Denial of Service condition, or have other unspecified impacts. Workaround : There is no known workaround at this time.
    last seen 2018-09-01
    modified 2018-06-13
    plugin id 108822
    published 2018-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108822
    title GLSA-201804-02 : glibc: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-30.NASL
    description This update for glibc fixes the following issues : - A privilege escalation bug in the realpath() function has been fixed. [CVE-2018-1000001, bsc#1074293] - A memory leak and a buffer overflow in the dynamic ELF loader has been fixed. [CVE-2017-1000408, CVE-2017-1000409, bsc#1071319] - An issue in the code handling RPATHs was fixed that could have been exploited by an attacker to execute code loaded from arbitrary libraries. [CVE-2017-16997, bsc#1073231] - A potential crash caused by a use-after-free bug in pthread_create() has been fixed. [bsc#1053188] - A bug that prevented users to build shared objects which use the optimized libmvec.so API has been fixed. [bsc#1070905] - A memory leak in the glob() function has been fixed. [CVE-2017-15670, CVE-2017-15671, CVE-2017-15804, bsc#1064569, bsc#1064580, bsc#1064583] - A bug that would lose the syscall error code value in case of crashes has been fixed. [bsc#1063675] This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2018-09-02
    modified 2018-06-13
    plugin id 106059
    published 2018-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106059
    title openSUSE Security Update : glibc (openSUSE-2018-30)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0098-A.NASL
    description An update of 'ruby', 'glibc' packages of Photon OS has been released.
    last seen 2018-09-01
    modified 2018-08-17
    plugin id 111910
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111910
    title Photon OS 1.0: Glibc / Ruby PHSA-2018-1.0-0098-(a)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-3092.NASL
    description An update for glibc is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The glibc packages provide the standard C libraries (libc), POSIX thread libraries (libpthread), standard math libraries (libm), and the name service cache daemon (nscd) used by multiple programs on the system. Without these libraries, the Linux system cannot function correctly. Security Fix(es) : * glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries (CVE-2017-16997) * glibc: Integer overflow in posix_memalign in memalign functions (CVE-2018-6485) * glibc: Integer overflow in stdlib/canonicalize.c on 32-bit architectures leading to stack-based buffer overflow (CVE-2018-11236) * glibc: Buffer overflow in __mempcpy_avx512_no_vzeroupper (CVE-2018-11237) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.6 Release Notes linked from the References section.
    last seen 2018-11-01
    modified 2018-10-31
    plugin id 118527
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118527
    title RHEL 7 : glibc (RHSA-2018:3092)
redhat via4
advisories
rhsa
id RHSA-2018:3092
rpms
  • glibc-0:2.17-260.el7
  • glibc-common-0:2.17-260.el7
  • glibc-devel-0:2.17-260.el7
  • glibc-headers-0:2.17-260.el7
  • glibc-static-0:2.17-260.el7
  • glibc-utils-0:2.17-260.el7
  • nscd-0:2.17-260.el7
refmap via4
bid 102228
confirm
Last major update 17-12-2017 - 20:29
Published 17-12-2017 - 20:29
Last modified 31-10-2018 - 06:29
Back to Top