CVE-2010-3847

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

Weakness

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Affected Software

Name	Vendor	Start Version	End Version
Glibc	Gnu	*	2.11.2 (including)
Glibc	Gnu	1.00 (including)	1.00 (including)
Glibc	Gnu	1.01 (including)	1.01 (including)
Glibc	Gnu	1.02 (including)	1.02 (including)
Glibc	Gnu	1.03 (including)	1.03 (including)
Glibc	Gnu	1.04 (including)	1.04 (including)
Glibc	Gnu	1.05 (including)	1.05 (including)
Glibc	Gnu	1.06 (including)	1.06 (including)
Glibc	Gnu	1.07 (including)	1.07 (including)
Glibc	Gnu	1.08 (including)	1.08 (including)
Glibc	Gnu	1.09 (including)	1.09 (including)
Glibc	Gnu	1.09.1 (including)	1.09.1 (including)
Glibc	Gnu	2.0 (including)	2.0 (including)
Glibc	Gnu	2.0.1 (including)	2.0.1 (including)
Glibc	Gnu	2.0.2 (including)	2.0.2 (including)
Glibc	Gnu	2.0.3 (including)	2.0.3 (including)
Glibc	Gnu	2.0.4 (including)	2.0.4 (including)
Glibc	Gnu	2.0.5 (including)	2.0.5 (including)
Glibc	Gnu	2.0.6 (including)	2.0.6 (including)
Glibc	Gnu	2.1 (including)	2.1 (including)
Glibc	Gnu	2.1.1 (including)	2.1.1 (including)
Glibc	Gnu	2.1.1.6 (including)	2.1.1.6 (including)
Glibc	Gnu	2.1.2 (including)	2.1.2 (including)
Glibc	Gnu	2.1.3 (including)	2.1.3 (including)
Glibc	Gnu	2.1.3.10 (including)	2.1.3.10 (including)
Glibc	Gnu	2.1.9 (including)	2.1.9 (including)
Glibc	Gnu	2.2 (including)	2.2 (including)
Glibc	Gnu	2.2.1 (including)	2.2.1 (including)
Glibc	Gnu	2.2.2 (including)	2.2.2 (including)
Glibc	Gnu	2.2.3 (including)	2.2.3 (including)
Glibc	Gnu	2.2.4 (including)	2.2.4 (including)
Glibc	Gnu	2.2.5 (including)	2.2.5 (including)
Glibc	Gnu	2.3 (including)	2.3 (including)
Glibc	Gnu	2.3.1 (including)	2.3.1 (including)
Glibc	Gnu	2.3.2 (including)	2.3.2 (including)
Glibc	Gnu	2.3.3 (including)	2.3.3 (including)
Glibc	Gnu	2.3.4 (including)	2.3.4 (including)
Glibc	Gnu	2.3.5 (including)	2.3.5 (including)
Glibc	Gnu	2.3.6 (including)	2.3.6 (including)
Glibc	Gnu	2.3.10 (including)	2.3.10 (including)
Glibc	Gnu	2.4 (including)	2.4 (including)
Glibc	Gnu	2.5 (including)	2.5 (including)
Glibc	Gnu	2.5.1 (including)	2.5.1 (including)
Glibc	Gnu	2.6 (including)	2.6 (including)
Glibc	Gnu	2.6.1 (including)	2.6.1 (including)
Glibc	Gnu	2.7 (including)	2.7 (including)
Glibc	Gnu	2.8 (including)	2.8 (including)
Glibc	Gnu	2.9 (including)	2.9 (including)
Glibc	Gnu	2.10 (including)	2.10 (including)
Glibc	Gnu	2.10.1 (including)	2.10.1 (including)
Glibc	Gnu	2.10.2 (including)	2.10.2 (including)
Glibc	Gnu	2.11 (including)	2.11 (including)
Glibc	Gnu	2.11.1 (including)	2.11.1 (including)
Glibc	Gnu	2.12.0 (including)	2.12.0 (including)
Glibc	Gnu	2.12.1 (including)	2.12.1 (including)
Red Hat Enterprise Linux 5	RedHat	glibc-0:2.5-49.el5_5.6	*
Red Hat Enterprise Linux 6	RedHat	glibc-0:2.12-1.7.el6_0.3	*
Eglibc	Ubuntu	karmic	*
Eglibc	Ubuntu	lucid	*
Eglibc	Ubuntu	maverick	*
Glibc	Ubuntu	hardy	*
Glibc	Ubuntu	jaunty	*

Potential Mitigations

Follow the principle of least privilege when assigning access rights to entities in a software system.
Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.

NVD	https://nvd.nist.gov/vuln/detail/CVE-2010-3847
CWE	https://cwe.mitre.org/data/definitions/59.html

Improper Link Resolution Before File Access ('Link Following')

Weakness

Affected Software

Potential Mitigations

References

CVE-2010-3847

Improper Link Resolution Before File Access ('Link Following')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References