Vulnerabilities > CVE-2009-1786 - Race Condition vulnerability in IBM AIX 5.3/6.1
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Exploit-Db
description Kingsoft Webshield 1.1.0.62 Cross Site scripting and Remote Command Execution Vulnerability. CVE-2009-1786. Webapps exploit for php platform id EDB-ID:33001 last seen 2016-02-03 modified 2009-05-20 published 2009-05-20 reporter inking source https://www.exploit-db.com/download/33001/ title Kingsoft Webshield 1.1.0.62 - Cross-Site scripting and Remote Command Execution Vulnerability id EDB-ID:9306
Nessus
NASL family AIX Local Security Checks NASL id AIX_IZ50121.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64325 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64325 title AIX 6.1 TL 2 : libc (IZ50121) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text in the description was extracted from AIX Security # Advisory libc_advisory.asc. # include("compat.inc"); if (description) { script_id(64325); script_version("1.3"); script_cvs_date("Date: 2019/09/16 14:12:52"); script_cve_id("CVE-2009-1786"); script_name(english:"AIX 6.1 TL 2 : libc (IZ50121)"); script_summary(english:"Check for APAR IZ50121"); script_set_attribute( attribute:"synopsis", value:"The remote AIX host is missing a security patch." ); script_set_attribute( attribute:"description", value: "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a." ); script_set_attribute( attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc" ); script_set_attribute( attribute:"solution", value:"Install the appropriate interim fix." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_cwe_id(362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:6.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/05/19"); script_set_attribute(attribute:"patch_publication_date", value:"2009/05/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc."); script_family(english:"AIX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("aix.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX"); if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This iFix check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") ); flag = 0; if (aix_check_ifix(release:"6.1", ml:"02", patch:"IZ50121_02", package:"bos.rte.libc", minfilesetver:"6.1.2.0", maxfilesetver:"6.1.0.3") < 0) flag++; if (aix_check_ifix(release:"6.1", ml:"02", patch:"IZ50121_02", package:"bos.adt.prof", minfilesetver:"6.1.2.0", maxfilesetver:"6.1.0.3") < 0) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family AIX Local Security Checks NASL id AIX_IZ50517.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64331 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64331 title AIX 5.3 TL 7 : libc (IZ50517) NASL family AIX Local Security Checks NASL id AIX_IZ50445.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64328 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64328 title AIX 5.3 TL 9 : libc (IZ50445) NASL family AIX Local Security Checks NASL id AIX_IZ50139.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64327 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64327 title AIX 6.1 TL 0 : libc (IZ50139) NASL family AIX Local Security Checks NASL id AIX_IZ50447.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64329 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64329 title AIX 5.3 TL 8 : libc (IZ50447) NASL family AIX Local Security Checks NASL id AIX_IZ50500.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64330 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64330 title AIX 5.3 TL 0 : libc (IZ50500) NASL family AIX Local Security Checks NASL id AIX_IZ50129.NASL description There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a. last seen 2020-06-01 modified 2020-06-02 plugin id 64326 published 2013-01-30 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64326 title AIX 6.1 TL 1 : libc (IZ50129)
Oval
accepted | 2009-08-31T04:00:09.685-04:00 | ||||||||||||||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||||||||||||||
contributors |
| ||||||||||||||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||||||||||||||
description | The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable. | ||||||||||||||||||||||||||||||||
family | unix | ||||||||||||||||||||||||||||||||
id | oval:org.mitre.oval:def:6276 | ||||||||||||||||||||||||||||||||
status | accepted | ||||||||||||||||||||||||||||||||
submitted | 2009-07-18T15:10:44.000-05:00 | ||||||||||||||||||||||||||||||||
title | Malloc subsystem in libc in IBM AIX 5.3 and 6.1 vulnerability. | ||||||||||||||||||||||||||||||||
version | 43 |
Packetstorm
data source | https://packetstormsecurity.com/files/download/139565/aixlquery-escalate.txt |
id | PACKETSTORM:139565 |
last seen | 2016-12-05 |
published | 2016-11-04 |
reporter | Hector X. Monsegur |
source | https://packetstormsecurity.com/files/139565/AIX-5.3-6.1-7.1-7.2-lquerylv-Local-Root.html |
title | AIX 5.3 / 6.1 / 7.1 / 7.2 lquerylv Local Root |
References
- http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=802
- http://secunia.com/advisories/35146
- http://securitytracker.com/id?1022261
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50121
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50129
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50139
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50445
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50447
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50500
- http://www.ibm.com/support/docview.wss?uid=isg1IZ50517
- http://www.osvdb.org/54617
- http://www.securityfocus.com/bid/35034
- http://www.vupen.com/english/advisories/2009/1380
- https://exchange.xforce.ibmcloud.com/vulnerabilities/50636
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6276
- https://www.exploit-db.com/exploits/9306