Glibc Dynamic Loader Hit By A Nasty Local Privilege Escalation Vulnerability

Written by Michael Larabel in GNU on 3 October 2023 at 03:05 PM EDT. 26 Comments
GNU
A nasty vulnerability has been made public today concerning Glibc's dynamic loader that can lead to full root privileges being obtained by local users. This affects Linux distributions of the past two years with the likes of Ubuntu 22.04 LTS, 23.04, Fedora 38, and others vulnerable to this local privilege escalation issue.

Qualys announced this vulnerability a few minutes ago:
"The GNU C Library's dynamic loader "find[s] and load[s] the shared objects (shared libraries) needed by a program, prepare[s] the program to run, and then run[s] it" (man ld.so). The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities. Historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader.

Recently, we discovered a vulnerability (a buffer overflow) in the dynamic loader's processing of the GLIBC_TUNABLES environment variable. This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c ("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").

We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; other distributions are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc). We will not publish our exploit for now; however, this buffer overflow is easily exploitable (by transforming it into a data-only attack), and other researchers might publish working exploits shortly after this coordinated disclosure."

See the oss-security mailing list for more details on this high profile vulnerability.

A bad day for computers...
This glibc dynamic loader vulnerability comes just hours after new X.Org/X11 vulnerabilities that date back as far as 1988 were disclosed. A rough day for computers and a long day for Linux administrators."


Glibc updates to the major Linux distributions should begin rolling out imminently. In the interim we are already seeing actions take place such as Debian temporarily restricting access to some of their systems until they are patched against this local privilege escalation vulnerability.
26 Comments
Related News
GCC 14.1 RC Compiler Available For Testing With AMD Znver5 Target & New C/C++ Features
GCC 14.1 Compiler Aiming For Release Around 7 May
GNU Portability Library's Tool Rewritten In Python For 8~100x Better Performance
GCC 14 Compiler Adds AArch64 GNU/Hurd Support
GCC 14 Boasts Nice ASCII Art For Visualizing Buffer Overflows
GNU Poke 4.0 & Poke-ELF 1.0 Released For Dealing With Binary Data
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
systemd Rolling Out "run0" As sudo Alternative
Microsoft Open-Sources MS-DOS 4.0 Under MIT License
Systemd 256-rc1 Brings A Huge Number Of New Features
NVIDIA Developer Opens Feature Pull Request For Open-Source NVK Driver
Linux Mint Looks To Fork More GNOME Software, Make XApp More Independent
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Ubuntu 24.04 LTS Downloads Now Available
Microsoft Updates Cascadia Code: Its Open-Source Font For Developers