CVE-2015-8777

Vulnerability

The vulnerability resides in the process_envvars function in elf/rtld.c of the GNU C Library (glibc) before version 2.23. The function fails to sanitize the LD_POINTER_GUARD environment variable for set-user-ID and set-group-ID programs. By setting LD_POINTER_GUARD=0, a local user can disable the pointer mangling protection mechanism that is intended to protect pointers stored in writable memory (e.g., return addresses saved by setjmp(3) or function pointers used by glibc internals) [3]. Affected versions include glibc prior to 2.22.90 [3] and RHEL 7 glibc before 2.17-196.el7 [1].

Exploitation

An attacker must have local access to the system and be able to execute a set-user-ID or set-group-ID program. The attacker sets the environment variable LD_POINTER_GUARD=0 before launching the privileged program. The dynamic loader processes this variable without checking for elevated privileges, thus disabling pointer mangling for that process [3]. No additional authentication or user interaction is required beyond the ability to run a set-user-ID binary.

Impact

By disabling pointer guard, the attacker weakens the system's security posture. However, this vulnerability alone does not directly allow code execution or privilege escalation; it removes a protective layer that makes it easier to exploit other memory corruption bugs (e.g., buffer overflows) that could overwrite mangled pointers [3]. The impact is a reduction in the effectiveness of pointer mangling as a defense-in-depth measure, potentially facilitating further attacks.

Mitigation

The fix is included in glibc version 2.23 [2]. For Red Hat Enterprise Linux 7, the updated package is glibc-2.17-196.el7 [1]. Ubuntu released USN-2985-1 and later USN-2985-2 to address related glibc issues, though the latter removed a fix for CVE-2014-9761 due to a regression [4]. Users should update to the latest glibc version provided by their distribution. No workaround is available other than applying the patch.