VULHUB ™

Glibc 2 is the latest version of the GNU C Library. ld.so is used to load shared libraries for dynamically-linked programs on Unix systems. The version of ld.so from glibc2 fails to clear environment variables LD_DEBUG_OUTPUT and LD_DEBUG when running suid programs. These two variables cause a program to create debug files in the directory specified by LD_DEBUG_OUTPUT. These files have predictable filenames, composed of the word DEBUG and the process ID. When ld.so writes to these debug files, it will follow symbolic links. As a result, it is possible for an attacker to anticipate a 'debug' filename and, in a path to which the attacker has write privileges, create a symbolic link pointing to a target file . The attacker can then specify this path as LD_DEBUG_OUTPUT, set the LD_DEBUG variable, and run the target suid program. If the 'debug' filename was correctly guessed, the suid program will overwrite whatever is pointed to by the symlink.

Glibc 2 is the latest version of the GNU C Library. ld.so is used to load shared libraries for dynamically-linked programs on Unix systems. The version of ld.so from glibc2 fails to clear environment variables LD_DEBUG_OUTPUT and LD_DEBUG when running suid programs. These two variables cause a program to create debug files in the directory specified by LD_DEBUG_OUTPUT. These files have predictable filenames, composed of the word DEBUG and the process ID. When ld.so writes to these debug files, it will follow symbolic links. As a result, it is possible for an attacker to anticipate a 'debug' filename and, in a path to which the attacker has write privileges, create a symbolic link pointing to a target file . The attacker can then specify this path as LD_DEBUG_OUTPUT, set the LD_DEBUG variable, and run the target suid program. If the 'debug' filename was correctly guessed, the suid program will overwrite whatever is pointed to by the symlink.