Understanding Core Unix Components and their Historical Security Issues (GlibC)

I have a mantra, you can’t pwn something you can’t build, well, of course you can but it’s much easier if you can build it. Take web apps, I had RCE on redis years ago because I knew how to configure it; take AD — because I deployed early on Azure I knew a few bugs that allowed me to take over traditional AD from Azure and finally by building my own Unix system I was able to figure out a number of priv. escs by simply mounting file systems or changing core start up libs etc…the point is, if you can make it, you can break it.

Part of building something is understanding it, today we will try to understand a core unix component, Glibc, what it does and look at previous security issues that have affected them and other exploits that abuses it. I hope all the binaries, libraries and directories listed will be helpful for people looking for good fuzzing targets or places to statically analyse code.


The Glibc package contains the main C library. This library provides the basic routines for allocating memory, searching directories, opening and closing files, reading and writing files, string handling, pattern matching, arithmetic, and so on.

Installed Binaries


Can be used to create a stack trace when a program terminates with a segmentation fault

Useful for CTFs, Reverse Engineering and Exploit Dev


Generates message catalogues


Displays the system configuration values for file system specific variables


Gets entries from an administrative database


Performs character set conversion


Creates fastloading iconv module configuration files


Configures the dynamic linker runtime bindings


Reports which shared libraries are required by each given program or shared library

ldd is very useful for CTFs, Exploit Dev and Reverse Engineering!


Assists ldd with object files


Prints various information about the current locale


Compiles locale specifications


Creates a simple database from textual input


Reads and interprets a memory trace file and displays a summary in human-readable format


A daemon that provides a cache for the most common name service requests


Lists dynamic shared objects used by running processes


A statically linked ln program


Traces shared library procedure calls of a specified command

Another useful one for CTFs, Exploit Development and Reverse Engineering!


Reads and displays shared object profiling data


Asks the user about the location of the system and reports the corresponding time zone description


Traces the execution of a program by printing the currently executed function


The time zone dumper


The time zone compiler

Installed Libraries


The helper program for shared library executables


Used internally by Glibc as a gross hack to get broken programs (e.g., some Motif applications) running. See comments in glibc-2.28/locale/broken_cur_max.cfor more information


The segmentation fault signal handler, used by catchsegv


An asynchronous name lookup library


The main C library


Used internally by Glibc for handling internationalized domain names in the getaddrinfo() function


The cryptography library


The dynamic linking interface library


Dummy library containing no functions. Previously was a runtime library for g++


Linking in this module forces error handling rules for math functions as defined by the Institute of Electrical and Electronic Engineers (IEEE). The default is POSIX.1 error handling


The mathematical library


Turns on memory allocation checking when linked to


Used by memusage to help collect information about the memory usage of a program


The network services library


The Name Service Switch libraries, containing functions for resolving host names, user names, group names, aliases, services, protocols, etc.


The POSIX threads library


Contains functions for creating, sending, and interpreting packets to the Internet domain name servers


Contains functions providing miscellaneous RPC services


Contains functions providing most of the interfaces specified by the POSIX.1b Realtime Extension


Contains functions useful for building debuggers for multi-threaded programs


Contains code for “standard” functions used in many different Unix utilities




GNU Glibc : List of security vulnerabilities
Security vulnerabilities of GNU Glibc : List of all related CVE security vulnerabilities. CVSS Scores, vulnerability…www.cvedetails.com

Top 10 Critical

  • CVE-2015–0235: Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.”
  • CVE-2017–16997: elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the “./” directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.
  • CVE-2014–9402: The nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process.
  • CVE-2017–8804: The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017–8779.
  • CVE-2000–0335: The resolver in glibc 2.1.3 uses predictable IDs, which allows a local attacker to spoof DNS query results.
  • CVE-2002–0684: Buffer overflow in DNS resolver functions that perform lookup of network names and addresses, as used in BIND 4.9.8 and ported to glibc 2.2.5 and earlier, allows remote malicious DNS servers to execute arbitrary code through a subroutine used by functions such as getnetbyname and getnetbyaddr.
  • CVE-2003–0028: Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002–0391.
  • CVE-2010–0015: nis/nss_nis/nis-pwd.c in the GNU C Library (aka glibc or libc6) 2.7 and Embedded GLIBC (EGLIBC) 2.10.2 adds information from the passwd.adjunct.byname map to entries in the passwd map, which allows remote attackers to obtain the encrypted passwords of NIS accounts by calling the getpwnam function.
  • CVE-2012–4412: Integer overflow in string/strcoll_l.c in the GNU C Library (aka glibc or libc6) 2.17 and earlier allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a long string, which triggers a heap-based buffer overflow.
  • CVE-2014–4043: The posix_spawn_file_actions_addopen function in glibc before 2.20 does not copy its path argument in accordance with the POSIX specification, which allows context-dependent attackers to trigger use-after-free vulnerabilities.

Using GLibC to our Advantage

A “return-to-libc” attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process’ executable memory, bypassing the no-execute bit feature (if present) and ridding the attacker of the need to inject their own code. The first example of this attack in the wild was contributed by Alexander Peslyak on the Bugtraq mailing list in 1997.

On POSIX-compliant operating systems the C standard library (“libc“) is commonly used to provide a standard runtime environment for programs written in the C programming language. Although the attacker could make the code return anywhere, libc is the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as the system function used to execute shell commands).