CVE-2017-1000366

Sažetak

glibc contains a vulnerability that allows specially crafted LD_LIBRARY_PATH values to manipulate the heap/stack, causing them to alias, potentially resulting in arbitrary code execution. Please note that additional hardening changes have been made to glibc to prevent manipulation of stack and heap memory but these issues are not directly exploitable, as such they have not been given a CVE. This affects glibc 2.25 and earlier.

Reference

http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html
http://seclists.org/fulldisclosure/2019/Sep/7
http://www.debian.org/security/2017/dsa-3887
http://www.securityfocus.com/bid/99127
http://www.securitytracker.com/id/1038712
https://access.redhat.com/errata/RHSA-2017:1479
https://access.redhat.com/errata/RHSA-2017:1480
https://access.redhat.com/errata/RHSA-2017:1481
https://access.redhat.com/errata/RHSA-2017:1567
https://access.redhat.com/errata/RHSA-2017:1712
https://access.redhat.com/security/cve/CVE-2017-1000366
https://kc.mcafee.com/corporate/index?page=content&id=SB10205
https://seclists.org/bugtraq/2019/Sep/7
https://security.gentoo.org/glsa/201706-19
https://www.exploit-db.com/exploits/42274/
https://www.exploit-db.com/exploits/42275/
https://www.exploit-db.com/exploits/42276/
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
https://www.suse.com/security/cve/CVE-2017-1000366/
https://www.suse.com/support/kb/doc/?id=7020973

CVSS

Base:	7.2
Impact:	10.0
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:L/AC:L/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

15-10-2020 - 13:28

Objavljeno

19-06-2017 - 16:29