CVE-2017-16997

glibc: Incorrect handling of RPATH in elf/dl-load.c can be used to execute code loaded from arbitrary libraries

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the "./" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.

elf/dl-load.c en la biblioteca GNU C (también llamada glibc o libc6) desde la versión 2.19 hasta la 2.26 manipula incorrectamente RPATH y RUNPATH que contienen $ORIGIN para un programa privilegiado (setuid o AT_SECURE), lo que permite que los usuarios locales obtengan privilegios mediante una librería con malware troyano en el directorio actual. Esto está relacionado con las funciones fillin_rpath y decompose_rpath. Esto se asocia con la interpretación incorrecta de un token RPATH/RUNPATH vacío como el directorio "./". NOTA: esta configuración de RPATH/RUNPATH para un programa privilegiado es aparentemente muy poco común. Lo más probable es que este programa no se provea con una distribución de Linux común.

It was discovered that the GNU C library did not properly handle all of the possible return values from the kernel getcwd syscall. A local attacker could potentially exploit this to execute arbitrary code in setuid programs and gain administrative privileges. A memory leak was discovered in the _dl_init_paths function in the GNU C library dynamic loader. A local attacker could potentially exploit this with a specially crafted value in the LD_HWCAP_MASK environment variable, in combination with CVE-2017-1000409 and another vulnerability on a system with hardlink protections disabled, in order to gain administrative privileges. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2017-04-03 CVE Published
2017-11-27 CVE Reserved
2018-01-03 First Exploit
2024-08-05 CVE Updated
2025-04-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-426: Untrusted Search Path
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CAPEC

References (9)

URL	Tag	Source
http://www.securityfocus.com/bid/102228	Third Party Advisory

URL	Date	SRC
https://github.com/Xiami2012/CVE-2017-16997-poc	2018-01-03

URL	Date	SRC
https://bugs.debian.org/884615	2020-10-15
https://sourceware.org/bugzilla/show_bug.cgi?id=22625	2020-10-15
https://sourceware.org/ml/libc-alpha/2017-12/msg00528.html	2020-10-15

URL	Date	SRC
https://access.redhat.com/errata/RHBA-2019:0327	2020-10-15
https://access.redhat.com/errata/RHSA-2018:3092	2020-10-15
https://access.redhat.com/security/cve/CVE-2017-16997	2018-10-30
https://bugzilla.redhat.com/show_bug.cgi?id=1526865	2018-10-30

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.19 Search vendor "Gnu" for product "Glibc" and version "2.19"		-		Affected
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.20 Search vendor "Gnu" for product "Glibc" and version "2.20"		-		Affected
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.21 Search vendor "Gnu" for product "Glibc" and version "2.21"		-		Affected
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.22 Search vendor "Gnu" for product "Glibc" and version "2.22"		-		Affected
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.23 Search vendor "Gnu" for product "Glibc" and version "2.23"		-		Affected
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.25 Search vendor "Gnu" for product "Glibc" and version "2.25"		-		Affected
Gnu Search vendor "Gnu"		Glibc Search vendor "Gnu" for product "Glibc"				2.26 Search vendor "Gnu" for product "Glibc" and version "2.26"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected