Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-3847 — Link Following in Glibc

CWE-59 — Link Following CWE-426 — Untrusted Search Path17 documents9 sources

Severity

6.9MEDIUMNVD

EPSS

11.3%

top 6.47%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

GNU Glibc

Timeline

PublishedJan 7

Latest updateMay 14

Description

elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 3.4 | Impact: 10.0

Affected Packages2 packages

▶Debiangnu/glibc< 2.11.2-8+3

▶NVDgnu/glibc2.11.2+54

Patches

Patch: sourceware.org ↗Patch: bugzilla.redhat.com ↗Patch: sourceware.org ↗

🔴Vulnerability Details

GHSA

GHSA-q3fw-v7x4-w8hh: elf/dl-load↗2022-05-14

▶

OSV

CVE-2010-3847: elf/dl-load↗2011-01-07

▶

CVEList

CVE-2010-3847: elf/dl-load↗2011-01-07

▶

💥Exploits & PoCs

Exploit-DB

glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)↗2018-02-12

▶

Exploit-DB

glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)↗2018-02-12

▶

Exploit-DB

GNU C Library 2.x (libc6) - Dynamic Linker LD_AUDIT Arbitrary DSO Load Privilege Escalation↗2010-10-22

▶

Exploit-DB

GNU C library dynamic linker - '$ORIGIN' Expansion↗2010-10-18

▶

📋Vendor Advisories

Red Hat

glibc: ld.so insecure handling of privileged programs' RPATHs with $ORIGIN↗2011-01-12

▶

Red Hat

glibc: fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH↗2011-01-11

▶

Ubuntu

GNU C Library vulnerabilities↗2010-10-22

▶

Red Hat

glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs↗2010-10-18

▶

Debian

CVE-2010-3847: glibc - elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2,...↗2010

▶

💬Community

Bugzilla

CVE-2011-0536 glibc: CVE-2010-3847 fix causes linker to search CWD when running privileged program with $ORIGIN in R*PATH↗2011-01-07

▶

Bugzilla

CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs [fedora-all]↗2010-10-18

▶

Bugzilla

CVE-2010-3847 glibc: ld.so insecure handling of $ORIGIN in LD_AUDIT for setuid/setgid programs↗2010-10-15

▶

Bugzilla

CVE-2007-3847 httpd: out of bounds read↗2007-08-03

▶