CVE-2017-1000366
Description
glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Linux Kernel (Debian 7/8/9/10 / Fedora 23/24/25 / CentOS 5.3/5.11/6.0/6.8/7.2.1511) - 'ldso_hwcap Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 7.7/8.5/9.0 / Ubuntu 14.04.2/16.04.2/17.04 / Fedora 22/25 / CentOS 7.3.1611) - 'ldso_hwcap_64 Stack Clash' Local Privilege Escalation
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| arch | fixed | 2.25-4 | |
| debian | bookworm | fixed | 2.24-12 |
| debian | bullseye | fixed | 2.24-12 |
| debian | forky | fixed | 2.24-12 |
| debian | sid | fixed | 2.24-12 |
| debian | trixie | fixed | 2.24-12 |
| debian | 8.0 | affected | |
| debian | 9.0 | affected | |
| rhel | 5 | affected | |
| rhel | 6.0 | affected | |
| rhel | 7.0 | affected | |
| rhel | 6.6 | affected | |
| suse | 11.0 | affected | |
| suse | 42.2 | affected | |
| suse | 10 | affected | |
| suse | 11 | affected | |
| suse | 12 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| openstack | cloud_magnum_orchestration | 7 | |
| gnu | glibc | {"endIncluding":"2.25"} | |
| mcafee | web_gateway | {"endIncluding":"7.6.2.14"} | |
References
- https://security.archlinux.org/ASA-201706-22
- https://security.archlinux.org/ASA-201706-23
- http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
- http://seclists.org/fulldisclosure/2019/Sep/7
- http://www.debian.org/security/2017/dsa-3887
- http://www.securityfocus.com/bid/99127
- http://www.securitytracker.com/id/1038712
- https://access.redhat.com/errata/RHSA-2017:1479
- https://access.redhat.com/errata/RHSA-2017:1480
- https://access.redhat.com/errata/RHSA-2017:1481
- https://access.redhat.com/errata/RHSA-2017:1567
- https://access.redhat.com/errata/RHSA-2017:1712
- https://access.redhat.com/security/cve/CVE-2017-1000366
- https://kc.mcafee.com/corporate/index?page=content&id=SB10205
- https://seclists.org/bugtraq/2019/Sep/7
- https://security.gentoo.org/glsa/201706-19
- https://www.exploit-db.com/exploits/42274/
- https://www.exploit-db.com/exploits/42275/
- https://www.exploit-db.com/exploits/42276/
- https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
- https://www.suse.com/security/cve/CVE-2017-1000366/
- https://www.suse.com/support/kb/doc/?id=7020973
- https://www.suse.com/security/cve/CVE-2017-1000366.html
- https://security-tracker.debian.org/tracker/CVE-2017-1000366
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.