GNU C Library Untrusted LD_LIBRARY_PATH Vulnerability in Statically Compiled Setuid Binaries

A vulnerability exists in the GNU C Library (glibc) versions 2.27 through 2.38, where the LD_LIBRARY_PATH environment variable can be exploited to load attacker-controlled shared libraries into statically compiled setuid binaries. This issue arises when such binaries call dlopen, including internal dlopen calls after setlocale or calls to Name Service Switch (NSS) functions like getaddrinfo. The vulnerability could lead to the execution of malicious library code with elevated privileges.

Impact

Exploitation of this vulnerability could allow for the execution of arbitrary code in the context of the affected user, potentially with elevated privileges, depending on the setuid binary used.

Reproduction

To reproduce this vulnerability, a static setuid binary must be created that calls dlopen, either directly or indirectly through setlocale or NSS functions. The binary should be linked against a vulnerable version of glibc. Once the binary is created, set the LD_LIBRARY_PATH environment variable to include a path to a malicious shared library that will be loaded by the binary. When the binary is executed, the malicious library code will be executed, demonstrating the vulnerability.

Remediation

Users can upgrade to GNU C Library version 2.39 or later, where this vulnerability has been fixed.