<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">Suresec Security Advisory - #00007 </SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">25/09/2005</SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"></SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"></SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">Mac OS X - malloc() insecure use of environment variable.<BR></SPAN></FONT><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"> Advisory: </SPAN></FONT><A href="http://www.suresec.org/advisories/adv6.pdf"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"><FONT class="Apple-style-span" color="#0000F0">http://www.suresec.org/advisories/adv7.pdf</FONT></SPAN></FONT></A><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"> </SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">Description:</SPAN></FONT><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"> </SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">The malloc() function on Mac OS X insecurely trusts a debug variable, regardless of the fact that the calling application may be suid root.</SPAN></FONT><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"></SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">This can result in an arbitrary file being overwritten, which can be used to escalate privileges.  </SPAN></FONT></P><P style="margin: 0.0px 0.0px 16.0px 0.0px"><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;">This vulnerability was discovered by Ilja van Sprundel.</SPAN></FONT><FONT class="Apple-style-span" face="Times" size="4"><SPAN class="Apple-style-span" style="font-size: 16px;"> </SPAN></FONT></P></BODY></HTML>