|
Brought to you by:
Suppliers of:
|
|
|
| |
| The Mac OS X malloc() function uses environment variables that can be modified by a local attacker and used to perform a privilege escalation attack. |
| |
Credit:
The information has been provided by Suresec Advisories.
The original article can be found at: http://www.suresec.org/advisories/adv7.pdf
|
| |
Vulnerable Systems:
* Mac OS X prior to Apple security update 2005-008
The malloc() function within the libSystem library on Mac OS X uses several environment variables to enable various logging functionality. The description of one of these variables, "MallogLogFile" taken from the manual page is shown below:
MallocLogFile <f> Create/append messages to the given file
path <f> instead of writing to the standard
error.
An error exists in the fact that malloc() will still pay attention to this variable when an application is suid root.
The following code taken from libSystem (libc) illustrates this:
flag = getenv("MallocLogFile");
if (flag) {
fd = open(flag, O_WRONLY|O_APPEND|O_CREAT, 0644);
if (fd >= 0) {
malloc_debug_file = fd;
fcntl(fd, F_SETFD, 0); // clear close-on-exec flag XXX why?
} else {
malloc_printf("Could not open %s, using stderr\n", flag);
}
}
A malicious user can set this variable before running a suid application in order to modify any file on the system. This can be used in order to trivially escalate privileges on the system.
Vendor Status:
The vendor has issued a fix to the issue in Security Update 2005-008.
CVE Information:
CAN-2005-2748
|
|
|
|
|
