Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.9
CVSSv2

CVE-2010-3847

Published: 07/01/2011 Updated: 13/02/2023
CVSS v2 Base Score: 6.9 | Impact Score: 10 | Exploitability Score: 3.4
VMScore: 710
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C
Subscribe to Gnu

Vulnerability Summary

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) up to and including 2.11.2, and 2.12.x up to and including 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

Vulnerable Product Search on Vulmon Subscribe to Product

gnu glibc 2.2.2

gnu glibc 2.9

gnu glibc 2.7

gnu glibc 2.1.2

gnu glibc 2.11

gnu glibc 2.0.5

gnu glibc 2.2.5

gnu glibc 2.0.6

gnu glibc 2.10.1

gnu glibc 1.00

gnu glibc 1.06

gnu glibc 2.1.1

gnu glibc 1.02

gnu glibc 2.0.3

gnu glibc 1.07

gnu glibc 2.3.1

gnu glibc 2.3

gnu glibc 2.12.0

gnu glibc 2.0

gnu glibc 2.1.1.6

gnu glibc 1.04

gnu glibc 1.01

gnu glibc 2.3.10

gnu glibc 2.4

gnu glibc 2.1

gnu glibc 2.3.4

gnu glibc 1.09.1

gnu glibc 2.1.9

gnu glibc 2.3.3

gnu glibc 2.12.1

gnu glibc 2.6.1

gnu glibc 2.0.1

gnu glibc 1.09

gnu glibc 2.10

gnu glibc 2.5.1

gnu glibc 2.6

gnu glibc 2.0.4

gnu glibc 2.0.2

gnu glibc 2.2.1

gnu glibc 2.3.2

gnu glibc 1.03

gnu glibc 2.1.3.10

gnu glibc 2.3.6

gnu glibc 2.2.3

gnu glibc 2.5

gnu glibc 1.08

gnu glibc 2.3.5

gnu glibc 2.8

gnu glibc 2.11.1

gnu glibc 2.2.4

gnu glibc 2.1.3

gnu glibc

gnu glibc 1.05

gnu glibc 2.2

gnu glibc 2.10.2

Vendor Advisories

Red Hat: Important: glibc security update
Synopsis Important: glibc security update Type/Severity Security Advisory: Important Topic Updated glibc packages that fix one security issue are now available forRed Hat Enterprise Linux 5The Red Hat Security Response Team has rated this update as havingimportant security impact A Common Vulnerability Sc ...
Debian CVElist Bug Report Logs: eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path
Debian Bug report logs - #600667 eglibc: cve-2010-3847 dynamic linker expands $ORIGIN in setuid library search path Package: eglibc; Maintainer for eglibc is (unknown); Reported by: Michael Gilbert <michaelsgilbert@gmailcom> Date: Mon, 18 Oct 2010 22:57:05 UTC Severity: grave Tags: pending, security, squeeze-ignore Fou ...
Ubuntu Security Notice: glibc, eglibc vulnerabilities
Local root escalation via LD_AUDIT environment variable ...
Ubuntu Security Notice: eglibc, glibc vulnerability
Privilege escalation via loading of libraries via RPATH DSTs with setuid programs ...

Exploits

Exploit DB: GNU C library dynamic linker - '$ORIGIN' Expansion
from: marcinfo/?l=full-disclosure&m=128739684614072&w=2 The GNU C library dynamic linker expands $ORIGIN in setuid library search path ------------------------------------------------------------------------------ Gruezi, This is CVE-2010-3847 The dynamic linker (or dynamic loader) is responsible for the runtime linking of dynam ...
Exploit DB: glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include M ...
Exploit DB: glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core/exploit/local/linux' require 'msf/core/exploit/exe' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include M ...
Exploit DB: GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load Privilege Escalation
Source: marcinfo/?l=full-disclosure&m=128776663124692&w=2 The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads ------------------------------------------------------------------------------- Cześć, This advisory describes CVE-2010-3856, an addendum to CVE-2010-3847 Please see seclistso ...
Exploit DB: glibc LD_AUDIT libmemusage.so RHEL-Based Arbitrary DSO Load Privilege Escalation
This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker with libmemusageso library ...
Exploit DB: GNU C Library Dynamic Linker Arbitrary DSO dlopen
The GNU C library dynamic linker will dlopen arbitrary DSOs during setuid loads ...
Exploit DB: GNU C Library Dynamic Linker $ORIGIN Expansion Vulnerability
The GNU C library dynamic linker suffers from an $ORIGIN expansion vulnerability ...
Exploit DB: glibc '$ORIGIN' Expansion Privilege Escalation
This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker glibc ldso in versions before 2113, and 212x before 2122 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables which allows control over the $ORIGIN lib ...
Exploit DB: glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation
This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in the GNU C Library (glibc) dynamic linker glibc ldso in versions before 2113, and 212x before 2122 does not properly restrict use of the LD_AUDIT environment variable when loading setuid executables This allows loading arbitrary shared obj ...

Github Repositories

https://github.com/magisterquis/cve-2010-3847

Script to take advantage of CVE-2010-3847

CVE-2010-3847 script Meant to automate the exploit discussed in [marcinfo/?l=full-disclosure&m=128776663124692&w=2] Tested on CentOS 5 x86 The DSO it outputs is compiled from the following code: #include <sys/typesh> #include <unistdh> #include <stdlibh> void __attribute__((constructor)) init() { setuid(

References

CWE-59http://www.vmware.com/security/advisories/VMSA-2011-0001.htmlhttp://seclists.org/fulldisclosure/2010/Oct/292http://seclists.org/fulldisclosure/2010/Oct/257http://seclists.org/fulldisclosure/2010/Oct/294https://bugzilla.redhat.com/show_bug.cgi?id=643306https://rhn.redhat.com/errata/RHSA-2010-0787.htmlhttp://sourceware.org/ml/libc-hacker/2010-10/msg00007.htmlhttp://www.vupen.com/english/advisories/2011/0025http://www.kb.cert.org/vuls/id/537223http://www.debian.org/security/2010/dsa-2122http://www.ubuntu.com/usn/USN-1009-1http://www.redhat.com/support/errata/RHSA-2010-0872.htmlhttp://secunia.com/advisories/42787http://support.avaya.com/css/P8/documents/100120941http://security.gentoo.org/glsa/glsa-201011-01.xmlhttp://www.securityfocus.com/bid/44154http://www.mandriva.com/security/advisories?name=MDVSA-2010:207https://lists.opensuse.org/opensuse-security-announce/2010-10/msg00007.htmlhttps://www.exploit-db.com/exploits/44025/https://www.exploit-db.com/exploits/44024/http://www.securityfocus.com/archive/1/515545/100/0/threadedhttps://access.redhat.com/errata/RHSA-2010:0787https://nvd.nist.govhttps://usn.ubuntu.com/1009-1/https://www.exploit-db.com/exploits/15274/https://www.kb.cert.org/vuls/id/537223
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook