CVE-2012-3524

libdbus < 1.5.12 - Local Privilege Escalation via DBUS_SYSTEM_BUS_ADDRESS Environment Variable

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2012-3524. PoCs published by Sebastian Krahmer.

AI-analyzed exploit summary This exploit leverages insecure getenv() usage in SUID binaries (spice, pam_systemd, or Xorg) to escalate privileges by manipulating environment variables and executing a malicious dbus-launch symlink. It demonstrates a local privilege escalation (LPE) via improper handling of environment variables in system utilities.

Description

libdbus 1.5.x and earlier, when used in setuid or other privileged programs in X.org and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: libdbus maintainers state that this is a vulnerability in the applications that do not cleanse environment variables, not in libdbus itself: "we do not support use of libdbus in setuid binaries that do not sanitize their environment before their first call into libdbus."

Exploits (1)

exploitdb WORKING POC
by Sebastian Krahmer · clocallinux
https://www.exploit-db.com/exploits/21323

This exploit leverages insecure getenv() usage in SUID binaries (spice, pam_systemd, or Xorg) to escalate privileges by manipulating environment variables and executing a malicious dbus-launch symlink. It demonstrates a local privilege escalation (LPE) via improper handling of environment variables in system utilities.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: SUID binaries (spice-gtk, pam_systemd, Xorg)
No auth needed
Prerequisites: Presence of vulnerable SUID binaries (spice, pam_systemd, or Xorg) · Write access to /tmp
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (23)

Core 23
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/09/12/6
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/07/26/1
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50544
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=847402
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1576-1
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50537
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/09/17/2
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/21323
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/55517
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1261.html
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/07/10/4
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/09/14/2
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:083
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2013:070
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/50710
Issue Tracking x_refsource_misc
https://bugzilla.novell.com/show_bug.cgi?id=697105
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1576-2
Exploit x_refsource_misc
http://stealth.openwall.net/null/dzug.c

Scores

EPSS 0.0451
EPSS Percentile 90.3%

Details

CWE
CWE-264
Status published
Products (7)
freedesktop/libdbus 1.5.0
freedesktop/libdbus 1.5.2
freedesktop/libdbus 1.5.4
freedesktop/libdbus 1.5.6
freedesktop/libdbus 1.5.8
freedesktop/libdbus 1.5.10
freedesktop/libdbus < 1.5.12
Published Sep 18, 2012
Tracked Since Feb 18, 2026