The 2011 Pwnie Nominee For Best Privilege Escalation Bug

Linux $ORIGIN privilege escalation (CVE-2010-3847)

Credit: Tavis Ormandy (and previous anonymous discoverers)

Tavis discovered that the glibc dynamic linker allows the $ORIGIN expansion in LD_AUDIT environmental variable when executing setuid binaries. This can be used to elevate privileges to root.

 (CVE-2010-3847)