Privilege Escalation

Affecting glibc package, versions debian:10: <2.26-4 || debian:8: * || debian:9: * || debian:unstable: <2.26-4 || ubuntu:16.04: <2.23-0ubuntu10 || ubuntu:17.10: <2.26-0ubuntu2.1

Do your applications use this vulnerable package? Test your applications

Overview

In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

The vulnerability is caused by a combination of a functional change in the Linux kernel syscall API (returning relative pathnames in getcwd()) and non-defensive function implementation in libc (failing to process that pathname correctly). A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain root privileges.

Note: Multiple exploits exist for this vulnerability and are publicly available.

Timeline

  • 2017-12-31: Reported to distros list as glibc errors should be reported to distros first.
  • 2018-01-01: Info distros: kernel issue should be handled first. Reported to kernel security.
  • 2018-01-02: Kernel security reply: getcwd() behaviour documented in "getcwd() 3" man pages, not an issue. Only libraries need fixing.
  • 2018-01-07: Final high-reliability anti-ASLR exploit for Stretch/Xenial using getdate/execl
  • 2018-01-10: CVE CVE-2018-1000001 assigned.
  • 2018-01-11: Publication without exploit code.
  • 2018-01-12: SUSE distributes fixes: SUSE-SU-2018:0071-1
  • 2018-01-16: PoC code released

References

CVSS Score

7.8
high severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:H
Credit
halfdog
CVE
CVE-2018-1000001
CWE
CWE-119
Snyk ID
SNYK-LINUX-GLIBC-129450
Disclosed
10 Jan, 2018
Published
10 Jan, 2018