Vulnerabilities > CVE-2009-1786 - Race Condition vulnerability in IBM AIX 5.3/6.1

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
ibm
CWE-362
nessus
exploit available

Summary

The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.

Vulnerable Configurations

Part Description Count
OS
Ibm
2

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Exploit-Db

  • descriptionKingsoft Webshield 1.1.0.62 Cross Site scripting and Remote Command Execution Vulnerability. CVE-2009-1786. Webapps exploit for php platform
    idEDB-ID:33001
    last seen2016-02-03
    modified2009-05-20
    published2009-05-20
    reporterinking
    sourcehttps://www.exploit-db.com/download/33001/
    titleKingsoft Webshield 1.1.0.62 - Cross-Site scripting and Remote Command Execution Vulnerability
  • idEDB-ID:9306

Nessus

  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50121.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64325
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64325
    titleAIX 6.1 TL 2 : libc (IZ50121)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text in the description was extracted from AIX Security
    # Advisory libc_advisory.asc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(64325);
      script_version("1.3");
      script_cvs_date("Date: 2019/09/16 14:12:52");
    
      script_cve_id("CVE-2009-1786");
    
      script_name(english:"AIX 6.1 TL 2 : libc (IZ50121)");
      script_summary(english:"Check for APAR IZ50121");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote AIX host is missing a security patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "There is a race condition in the MALLOCDEBUG debugging component of
    the malloc subsystem in the library libc.a. A local user can exploit
    this race condition when executing setuid root programs and thereby
    overwrite any file in the system.
    
    The successful exploitation of this vulnerability allows a local user
    to overwrite arbitrary files and execute arbitrary code as the root
    user.
    
    The following libraries are vulnerable :
    
    /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install the appropriate interim fix."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(362);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:6.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2009/05/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2009/05/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/30");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.");
      script_family(english:"AIX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");
    
      exit(0);
    }
    
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("aix.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX");
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This iFix check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") );
    
    flag = 0;
    
    if (aix_check_ifix(release:"6.1", ml:"02", patch:"IZ50121_02", package:"bos.rte.libc", minfilesetver:"6.1.2.0", maxfilesetver:"6.1.0.3") < 0) flag++;
    if (aix_check_ifix(release:"6.1", ml:"02", patch:"IZ50121_02", package:"bos.adt.prof", minfilesetver:"6.1.2.0", maxfilesetver:"6.1.0.3") < 0) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50517.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64331
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64331
    titleAIX 5.3 TL 7 : libc (IZ50517)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50445.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64328
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64328
    titleAIX 5.3 TL 9 : libc (IZ50445)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50139.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64327
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64327
    titleAIX 6.1 TL 0 : libc (IZ50139)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50447.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64329
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64329
    titleAIX 5.3 TL 8 : libc (IZ50447)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50500.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64330
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64330
    titleAIX 5.3 TL 0 : libc (IZ50500)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IZ50129.NASL
    descriptionThere is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system. The successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user. The following libraries are vulnerable : /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.
    last seen2020-06-01
    modified2020-06-02
    plugin id64326
    published2013-01-30
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/64326
    titleAIX 6.1 TL 1 : libc (IZ50129)

Oval

accepted2009-08-31T04:00:09.685-04:00
classvulnerability
contributors
nameAharon Chernin
organizationDTCC
definition_extensions
  • commentIBM AIX 5300-00 is installed
    ovaloval:org.mitre.oval:def:6195
  • commentIBM AIX 5300-01 through 5300-06 is installed
    ovaloval:org.mitre.oval:def:5973
  • commentIBM AIX 5300-07 is installed
    ovaloval:org.mitre.oval:def:5707
  • commentIBM AIX 5300-08 is installed
    ovaloval:org.mitre.oval:def:5293
  • commentIBM AIX 5300-09 is installed
    ovaloval:org.mitre.oval:def:6306
  • commentIBM AIX 6100-00 is installed
    ovaloval:org.mitre.oval:def:5589
  • commentIBM AIX 6100-01 is installed
    ovaloval:org.mitre.oval:def:5959
  • commentIBM AIX 6100-02 is installed
    ovaloval:org.mitre.oval:def:5685
descriptionThe malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.
familyunix
idoval:org.mitre.oval:def:6276
statusaccepted
submitted2009-07-18T15:10:44.000-05:00
titleMalloc subsystem in libc in IBM AIX 5.3 and 6.1 vulnerability.
version43

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/139565/aixlquery-escalate.txt
idPACKETSTORM:139565
last seen2016-12-05
published2016-11-04
reporterHector X. Monsegur
sourcehttps://packetstormsecurity.com/files/139565/AIX-5.3-6.1-7.1-7.2-lquerylv-Local-Root.html
titleAIX 5.3 / 6.1 / 7.1 / 7.2 lquerylv Local Root