Vulnerable Systems:
* Mac OS X prior to Apple security update 2005-008
The malloc() function within the libSystem library on Mac OS X uses several environment variables to enable various logging functionality. The description of one of these variables, "MallogLogFile" taken from the manual page is shown below:
MallocLogFile <f> Create/append messages to the given file
path <f> instead of writing to the standard
error.
An error exists in the fact that malloc() will still pay attention to this variable when an application is suid root.
The following code taken from libSystem (libc) illustrates this:
flag = getenv("MallocLogFile");
if (flag) {
fd = open(flag, O_WRONLY|O_APPEND|O_CREAT, 0644);
if (fd >= 0) {
malloc_debug_file = fd;
fcntl(fd, F_SETFD, 0); // clear close-on-exec flag XXX why?
} else {
malloc_printf("Could not open %s, using stderr\n", flag);
}
}
A malicious user can set this variable before running a suid application in order to modify any file on the system. This can be used in order to trivially escalate privileges on the system.
Vendor Status:
The vendor has issued a fix to the issue in Security Update 2005-008.
