Tried, Tested and Proven

Vulnerability title: Runtime Linker Allows Privilege Escalation Via Arbitrary File Writes In IBM AIX

CVE: CVE-2014-3074
Vendor: IBM
Product: AIX
Affected version: AIX 6.1 and 7.1 and VIOS 2.2.*
Fixed version: See IBM’s Security Bulletin
Reported by: Tim Brown

Details:

It has been identified that the runtime linker allows privilege escalation via arbitrary file writes with elevated privileges (SetGID and SetUID programs). The following will cause a new file /etc/pwned to be created with permissions of rw-rw-rw:

umask 0
MALLOCOPTIONS=buckets MALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/pwned
export MALLOCOPTIONS MALLOCBUCKETS
su -

In instances where the output file exists, then the report_allocations output will be appended to the existing file and the permissions preserved.

Impact:

An attacker could create security sensitive files (such as libraries or configuration files), which when processed by a privileged program will lead to privilege escalation in instances where the program runs with privileges that the attacker does not have. For example, if the program is SetUID root, by creating a malicious library within a trusted location, an attacker would obtain root privileges upon exploiting this vulnerability.

Exploit:

The proof of concept exploit code is available.

Vendor status:

14/04/2014 Advisory created
16/04/2014 Vendor contacted
17/04/2014 Vendor assigned advisory ID
22/05/2014 Requested update from vendor
23/05/2014 Vendor forwarded request to development team
30/06/2014 Vendor released patch and security bulletin
03/07/2014 Contacted Vendor to confirm status
03/07/2014 Vendor responded with confirmation
08/07/2014 Published
Copyright:

Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.

Disclaimer:

The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.