Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: GNU Libtool, code execution

December 2009 by Vigil@nce

In some cases, GNU Libtool loads a static library located in the current directory.

Severity: 2/4

Consequences: user access/rights

Provenance: user shell

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 22/12/2009

IMPACTED PRODUCTS

- Fedora
- Mandriva Corporate
- Mandriva Enterprise Server
- Mandriva Linux
- Mandriva Multi Network Firewall
- Red Hat Enterprise Linux
- Unix - plateform

DESCRIPTION OF THE VULNERABILITY

Dynamic libraries are loaded by dlopen().

The ltdl (Libtool Dynamic Module Loader) is provided by GNU Libtool to load libraries. It is called by functions lt_dlopen() and lt_dlopenext().

The ltdl uses files with a ".la" extension to indicate information on a library. For example:
dlname=’my-lib.so.1’
library_names=’my-lib.so.1.0 my-lib.so.1’
old_library=’my-lib.a’
The value of "old_library" indicates the name of the static library.

When a program calls:

- lt_dlopen/lt_dlopenext("/absolute/path/my-lib.so") : there is no vulnerability
- lt_dlopen/lt_dlopenext("my-lib.so") : there is no vulnerability
- lt_dlopen/lt_dlopenext("/absolute/path/my-lib.la"), and if the /absolute/path/my-lib.la file contains old_library=’my-lib.a’ : there is a vulnerability
- lt_dlopen/lt_dlopenext("my-lib.la"), and if the attacker can create the my-lib.la file in the current directory, containing old_library=’my-lib.a’ : there is a vulnerability
- lt_dlopenext("/absolute/path/my-lib"), and if the /absolute/path/my-lib.la file contains old_library=’my-lib.a’ : there is a vulnerability
- lt_dlopenext("my-lib"), and if the attacker can create the my-lib.la file in the current directory, containing old_library=’my-lib.a’ : there is a vulnerability In the 4 indicated cases, ltdl tries to open the my-lib.a file in the current directory.

A local attacker can therefore, if necessary create my-lib.la, and create my-lib.a, in the current directory of a user. The attacker can then invite the victim to run the program, so the malicious code of my-lib.a runs with his privileges.

CHARACTERISTICS

Identifiers: 537941, BID-37128, CVE-2009-3736, FEDORA-2009-12725, MDVA-2009:253, MDVSA-2009:307, MDVSA-2009:307-1, MDVSA-2009:318, RHSA-2009:1646-01, VIGILANCE-VUL-9308

http://vigilance.fr/vulnerability/G...




See previous articles

    

See next articles