Privilege Escalation

Affecting glibc package, versions debian:10: <2.26-4 || debian:8: * || debian:9: * || debian:unstable: <2.26-4 || ubuntu:16.04: <2.23-0ubuntu10 || ubuntu:17.10: <2.26-0ubuntu2.1

high severity

Overview

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

The vulnerability is caused by a combination of a functional change in the Linux kernel syscall API (returning relative pathnames in getcwd()) and non-defensive function implementation in libc (failing to process that pathname correctly). A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain root privileges.

Note: Multiple exploits exist for this vulnerability and are publicly available.

Timeline

  • 2017-12-31: Reported to distros list as glibc errors should be reported to distros first.
  • 2018-01-01: Info distros: kernel issue should be handled first. Reported to kernel security.
  • 2018-01-02: Kernel security reply: getcwd() behaviour documented in "getcwd() 3" man pages, not an issue. Only libraries need fixing.
  • 2018-01-07: Final high-reliability anti-ASLR exploit for Stretch/Xenial using getdate/execl
  • 2018-01-10: CVE CVE-2018-1000001 assigned.
  • 2018-01-11: Publication without exploit code.
  • 2018-01-12: SUSE distributes fixes: SUSE-SU-2018:0071-1
  • 2018-01-16: PoC code released

References

Do your applications use this vulnerable package?

Credit
halfdog
CVE
CVE-2018-1000001
CWE
CWE-119
Snyk ID
SNYK-LINUX-GLIBC-129450
Disclosed
10 Jan, 2018
Published
10 Jan, 2018