Vigil@nce: GNU Libtool, code execution
December 2009 by Vigil@nce
In some cases, GNU Libtool loads a static library located in the
current directory.
Severity: 2/4
Consequences: user access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 22/12/2009
IMPACTED PRODUCTS
– Fedora
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Mandriva Multi Network Firewall
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
Dynamic libraries are loaded by dlopen().
The ltdl (Libtool Dynamic Module Loader) is provided by GNU
Libtool to load libraries. It is called by functions lt_dlopen()
and lt_dlopenext().
The ltdl uses files with a ".la" extension to indicate information
on a library. For example:
dlname=’my-lib.so.1’
library_names=’my-lib.so.1.0 my-lib.so.1’
old_library=’my-lib.a’
The value of "old_library" indicates the name of the static
library.
When a program calls:
– lt_dlopen/lt_dlopenext("/absolute/path/my-lib.so") : there is
no vulnerability
– lt_dlopen/lt_dlopenext("my-lib.so") : there is no vulnerability
– lt_dlopen/lt_dlopenext("/absolute/path/my-lib.la"), and if the
/absolute/path/my-lib.la file contains old_library=’my-lib.a’ :
there is a vulnerability
– lt_dlopen/lt_dlopenext("my-lib.la"), and if the attacker can
create the my-lib.la file in the current directory, containing
old_library=’my-lib.a’ : there is a vulnerability
– lt_dlopenext("/absolute/path/my-lib"), and if the
/absolute/path/my-lib.la file contains old_library=’my-lib.a’ :
there is a vulnerability
– lt_dlopenext("my-lib"), and if the attacker can create the
my-lib.la file in the current directory, containing
old_library=’my-lib.a’ : there is a vulnerability
In the 4 indicated cases, ltdl tries to open the my-lib.a file in
the current directory.
A local attacker can therefore, if necessary create my-lib.la, and
create my-lib.a, in the current directory of a user. The attacker
can then invite the victim to run the program, so the malicious
code of my-lib.a runs with his privileges.
CHARACTERISTICS
Identifiers: 537941, BID-37128, CVE-2009-3736, FEDORA-2009-12725,
MDVA-2009:253, MDVSA-2009:307, MDVSA-2009:307-1, MDVSA-2009:318,
RHSA-2009:1646-01, VIGILANCE-VUL-9308
http://vigilance.fr/vulnerability/GNU-Libtool-code-execution-9308