Published: 31/01/2018 Updated: 03/10/2019

CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 732

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

In glibc 2.26 and previous versions there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu glibc
canonical ubuntu linux 16.04
canonical ubuntu linux 17.10
canonical ubuntu linux 12.04
canonical ubuntu linux 14.04
redhat enterprise linux desktop 7.0
redhat enterprise linux server tus 7.6
redhat virtualization host 4.0
redhat enterprise linux server aus 7.6
redhat enterprise linux server eus 7.6
redhat enterprise linux server 7.0
redhat enterprise linux workstation 7.0

Synopsis Moderate: glibc security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for glibc is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...

Debian Bug report logs - #887001 glibc: CVE-2018-1000001: realpath() buffer underflow when getcwd() returns relative path allows privilege escalation Package: src:glibc; Maintainer for src:glibc is GNU Libc Maintainers <debian-glibc@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 12 ...

Several security issues were fixed in the GNU C library ...

The GNU C library could be made to run programs as an administrator ...

Fragmentation attacks possible when EDNS0 is enabledThe DNS stub resolver in the GNU C Library (aka glibc or libc6) before version 226, when EDNS support is enabled, will solicit large UDP responses from name servers, potentially simplifying off-path DNS spoofing attacks due to IP fragmentation(CVE-2017-12132) Buffer overflow in glob with GLOB_TI ...

In glibc 226 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution ...

A buffer underflow vulnerability has been discovered in the realpath() function in glibc 226 when getcwd() returns a relative or unreachable path (ie not starting with '/') which may allow privilege escalation under certain conditions ...

This Metasploit module attempts to gain root privileges on Linux systems by abusing a vulnerability in GNU C Library (glibc) version 226 and prior This Metasploit module uses halfdog's RationalLove exploit to exploit a buffer underflow in glibc realpath() and create a SUID root shell The exploit has offsets for glibc versions 223-0ubuntu9 and 2 ...

/** This software is provided by the copyright owner "as is" and any * expressed or implied warranties, including, but not limited to, * the implied warranties of merchantability and fitness for a particular * purpose are disclaimed In no event shall the copyright owner be * liable for any direct, indirect, incidential, special, exemplary ...

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Kernel include ...

Tools for get offsets and adding patch for support i386

Tools for CVE-2018-1000001 Check vulnerability: $ cat /proc/sys/kernel/unprivileged_userns_clone Output: 1 If file "/proc/sys/kernel/unprivileged_userns_clone" does not exists: $ unshare -mU /bin/sh -c "sleep 5" & /bin/sh -c "sleep 1; cd /proc/$!/cwd; realpath ; kil

The Big list of the github, open-source compilers.

Compiler The Big list of all of the github, open-source compilers C emscripten Emscripten: An LLVM-to-Web Compiler 8cc A Small C Compiler Tesseract-OCR-iOS Tesseract OCR iOS is a Framework for iOS7+, compiled also for armv7s and arm64 firmware This repository contains pre-compiled binaries of the current Raspberry Pi kernel and modules, userspace libraries, and bootl

Tools for CVE-2018-1000001 Check vulnerability: $ cat /proc/sys/kernel/unprivileged_userns_clone Output: 1 If file "/proc/sys/kernel/unprivileged_userns_clone" does not exists: $ unshare -mU /bin/sh -c "sleep 5" & /bin/sh -c "sleep 1; cd /proc/$!/cwd; realpath ; kil

对cve-2018-1000001漏洞与反序列化rce漏洞的复现利用实验实验环境：ubuntu 16043 desktop cve-2018-1000001 目前复现利用已经实现分析： bbspediycom/thread-228678-1htm githubcom/SecWiki/linux-kernel-exploits/blob/master/2018/CVE-2018-1000001/RationalLovec wwwfreebufcom/column/162202html 反序列化rce漏洞目前�

HCTF 2018 - PWN - easyexp

HCTF 2018 - PWN - easyexp 出题思路：来自CVE–2018–1000001，glibc的realpath()缓冲区下溢漏洞，具体的漏洞原理我就不分析了看后面贴出的参考链接吧，菜鸡出题连别人的exp都看不懂，只能把问题简化，变成这道没啥营养的easyexp了2333不过意外的做出的人少呢，可能不少人没找到门道(没兴趣)

CWE-787 https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/http://seclists.org/oss-sec/2018/q1/38 https://www.exploit-db.com/exploits/43775/http://www.securitytracker.com/id/1040162 http://www.securityfocus.com/bid/102525 https://usn.ubuntu.com/3536-1/https://usn.ubuntu.com/3534-1/https://access.redhat.com/errata/RHSA-2018:0805 https://www.exploit-db.com/exploits/44889/https://security.netapp.com/advisory/ntap-20190404-0003/https://access.redhat.com/errata/RHSA-2018:0805 https://nvd.nist.gov https://usn.ubuntu.com/3534-1/https://www.exploit-db.com/exploits/43775/

CVE-2018-1000001

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Github Repositories

References

Vulmon Search

About

Products

Connect