Vigil@nce: AIX, file corruption via MALLOCDEBUG
May 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can corrupt a file using the MALLOCDEBUG
environment variable.
Severity: 2/4
Consequences: data creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 20/05/2009
IMPACTED PRODUCTS
– IBM AIX
DESCRIPTION OF THE VULNERABILITY
Developers can set MALLOCTYPE, MALLOCOPTIONS or MALLOCDEBUG
environment variables, to debug memory allocations.
The MALLOCDEBUG indicates a log file:
MALLOCDEBUG=output:/tmp/file
However, this file is created in an insecure manner, leading to a
file corruption when a suid/sgid program is debugged.
A local attacker can therefore corrupt a file using the
MALLOCDEBUG environment variable.
CHARACTERISTICS
Identifiers: BID-35034, VIGILANCE-VUL-8725
http://vigilance.fr/vulnerability/AIX-file-corruption-via-MALLOCDEBUG-8725