Glibc Dynamic Loader Hit By A Nasty Local Privilege Escalation Vulnerability
Qualys announced this vulnerability a few minutes ago:
"The GNU C Library's dynamic loader "find[s] and load[s] the shared objects (shared libraries) needed by a program, prepare[s] the program to run, and then run[s] it" (man ld.so). The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities. Historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader.
Recently, we discovered a vulnerability (a buffer overflow) in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c ("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").
We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; other distributions are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc). We will not publish our exploit for now; however, this buffer overflow is easily exploitable (by transforming it into a data-only attack), and other researchers might publish working exploits shortly after this coordinated disclosure."
See the oss-security mailing list for more details on this high profile vulnerability.
This glibc dynamic loader vulnerability comes just hours after new X.Org/X11 vulnerabilities that date back as far as 1988 were disclosed. A rough day for computers and a long day for Linux administrators."
Glibc updates to the major Linux distributions should begin rolling out imminently. In the interim we are already seeing actions take place such as Debian temporarily restricting access to some of their systems until they are patched against this local privilege escalation vulnerability.