Glibc Dynamic Loader Hit By A Nasty Native Privilege Escalation Vulnerability


A nasty vulnerability has been made public in the present day regarding Glibc’s dynamic loader that may result in full root privileges being obtained by native customers. This impacts Linux distributions of the previous two years with the likes of Ubuntu 22.04 LTS, 23.04, Fedora 38, and others weak to this native privilege escalation situation.
Qualys introduced this vulnerability a couple of minutes in the past:
“The GNU C Library’s dynamic loader “discover[s] and cargo[s] the shared objects (shared libraries) wanted by a program, put together[s] this system to run, after which run[s] it” (man ld.so). The dynamic loader is extraordinarily safety delicate, as a result of its code runs with elevated privileges when an area person executes a set-user-ID program, a set-group-ID program, or a program with capabilities. Traditionally, the processing of setting variables akin to LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile supply of vulnerabilities within the dynamic loader.
Just lately, we found a vulnerability (a buffer overflow) within the dynamic loader’s processing of the GLIBC_TUNABLES setting variable. This vulnerability was launched in April 2021 (glibc 2.34) by commit 2ed18c (“Repair SXID_ERASE habits in setuid applications (BZ #27471)”).
We efficiently exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; different distributions are in all probability additionally weak and exploitable (one notable exception is Alpine Linux, which makes use of musl libc, not the glibc). We won’t publish our exploit for now; nonetheless, this buffer overflow is definitely exploitable (by reworking it right into a data-only assault), and different researchers would possibly publish working exploits shortly after this coordinated disclosure.”
See the oss-security mailing list for extra particulars on this excessive profile vulnerability.
This glibc dynamic loader vulnerability comes simply hours after new X.Org/X11 vulnerabilities that date back as far as 1988 had been disclosed. A tough day for computer systems and a protracted day for Linux directors.”
Glibc updates to the key Linux distributions ought to start rolling out imminently. Within the interim we’re already seeing actions happen akin to Debian quickly proscribing entry to a few of their programs till they’re patched towards this native privilege escalation vulnerability.