Vulnerability CVE-2018-1000001


Published: 2018-01-31

Description:
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.

See advisories in our WLB2 database:
Topic
Author
Date
Med.
glibc realpath() Privilege Escalation
halfdog
13.06.2018

Type:

CWE-119

(Improper Restriction of Operations within the Bounds of a Memory Buffer)

Vendor: GNU
Product: Glibc 
Version: 2.26;

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://seclists.org/oss-sec/2018/q1/38
http://www.securityfocus.com/bid/102525
http://www.securitytracker.com/id/1040162
https://access.redhat.com/errata/RHSA-2018:0805
https://usn.ubuntu.com/3534-1/
https://usn.ubuntu.com/3536-1/
https://www.exploit-db.com/exploits/43775/
https://www.exploit-db.com/exploits/44889/
https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/

Related CVE
CVE-2019-6460
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_field_set_name() in the file rec-field.c in librec.a.
CVE-2019-6459
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_extract_type in rec-utils.c in librec.a.
CVE-2019-6458
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_buf_new in rec-buf.c when called from rec_parse_rset in rec-parser.c in librec.a.
CVE-2019-6457
An issue was discovered in GNU Recutils 1.8. There is a memory leak in rec_aggregate_reg_new in rec-aggregate.c in librec.a.
CVE-2019-6456
An issue was discovered in GNU Recutils 1.8. There is a NULL pointer dereference in the function rec_fex_size() in the file rec-fex.c of librec.a.
CVE-2019-6455
An issue was discovered in GNU Recutils 1.8. There is a double-free problem in the function rec_mset_elem_destroy() in the file rec-mset.c.
CVE-2018-20673
The demangle_template function in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.31.1, contains an integer overflow vulnerability (for "Create an array for saving the template argument values") that can trigger a heap-based buffer ove...
CVE-2018-20671
load_specific_debug_section in objdump.c in GNU Binutils through 2.31.1 contains an integer overflow vulnerability that can trigger a heap-based buffer overflow via a crafted section size.

Copyright 2019, cxsecurity.com

 

Back to Top