Vigil@nce: AIX, file corruption via MALLOCDEBUG
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can corrupt a file using the MALLOCDEBUG environment variable.
Consequences: data creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 20/05/2009
DESCRIPTION OF THE VULNERABILITY
Developers can set MALLOCTYPE, MALLOCOPTIONS or MALLOCDEBUG environment variables, to debug memory allocations.
The MALLOCDEBUG indicates a log file: MALLOCDEBUG=output:/tmp/file
However, this file is created in an insecure manner, leading to a file corruption when a suid/sgid program is debugged.
A local attacker can therefore corrupt a file using the MALLOCDEBUG environment variable.
Identifiers: BID-35034, VIGILANCE-VUL-8725