Vulnerability title: Runtime Linker Allows Privilege Escalation Via Arbitrary File Writes In IBM AIX
|Affected version:||AIX 6.1 and 7.1 and VIOS 2.2.*|
|Fixed version:||See IBM’s Security Bulletin|
|Reported by:||Tim Brown|
It has been identified that the runtime linker allows privilege escalation via arbitrary file writes with elevated privileges (SetGID and SetUID programs). The following will cause a new file /etc/pwned to be created with permissions of rw-rw-rw:
export MALLOCOPTIONS MALLOCBUCKETS
In instances where the output file exists, then the report_allocations output will be appended to the existing file and the permissions preserved.
An attacker could create security sensitive files (such as libraries or configuration files), which when processed by a privileged program will lead to privilege escalation in instances where the program runs with privileges that the attacker does not have. For example, if the program is SetUID root, by creating a malicious library within a trusted location, an attacker would obtain root privileges upon exploiting this vulnerability.
The proof of concept exploit code is available.
|17/04/2014||Vendor assigned advisory ID|
|22/05/2014||Requested update from vendor|
|23/05/2014||Vendor forwarded request to development team|
|30/06/2014||Vendor released patch and security bulletin|
|03/07/2014||Contacted Vendor to confirm status|
|03/07/2014||Vendor responded with confirmation|
Copyright © Portcullis Computer Security Limited 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of Portcullis Computer Security Limited.
The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user’s risk. In no event shall the author/distributor (Portcullis Computer Security Limited) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.