[NEWS] Mac OS X 10.1 Local Security Exploit

From: support@securiteam.com
Date: 10/23/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Mac OS X 10.1 Local Security Exploit
Message-Id: <20011023075430.6D31A138BF@mail.der-keiler.de>
Date: Tue, 23 Oct 2001 09:54:30 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Mac OS X 10.1 Local Security Exploit
------------------------------------------------------------------------

SUMMARY

A serious security exploit has been found in Mac OS X 10.1 (in fact, as it
turns out, it has been present in 10.0.x versions as well). Using this
exploit any user at the Desktop can gain root access to the machine.

DETAILS

The problem is caused by applications that are set-uid root (that is,
regardless of the user that runs them, they have root permissions).
Normally these programs have a limited scope of functionality so that
damage is minimized. However, it appears that any items launched from the
Apple->Recent Items menu inherit the root user privileges. Additionally,
any other apps in the Apple menu (i.e. System Preferences) can be launched
as root using this hole.

This can be demonstrated using the following technique:
1) Launch Terminal
2) Type whoami and hit return (this will show you who you are logged in
as)
3) Quit Terminal
4) Launch NetInfo Manager
5) Select Apple Menu->Recent Items->Terminal
6) Type whoami and hit return (you will now be root)
7) Quit Terminal (so you do not accidentally leave root logged in)

This is a serious problem, and works even if the root user has never been
enabled on the machine. Apple will need to release an update to Mac OS X
10.1 to ensure that this exploit is closed. Apple is aware of this issue,
and a fix is already in progress.

You can find any set-uid root programs on your system using the following
command:
    sudo find / -perm -4000 -user root -print

This will print a list of all the applications on your system that are set
to run as root even if you are not logged in as root. There are a number
of them, but only applications that provide an Aqua user interface are of
concern for this particular exploit. In particular, you may want to
consider further securing the following applications

   /Applications/Utilities/Disk Utility.app
   /Applications/Utilities/NetInfo Manager.app
   /Applications/Utilities/Print Center.app

By making then runable only by root and members of the admin group:
     sudo chmod o-x \
     '/Applications/Utilities/Disk Utility.app/Contents/MacOS/Disk
Utility' \
     '/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/NetInfo
Manager' \
     '/Applications/Utilities/Print
Center.app/Contents/MacOS/PrintingReset'

This may affect the application or user experience. You may even want to
make them only executable by root (change the chmod o-x to chmod go-x
above).

Additionally, some third party applications have been distributed set-uid
root and could provide additional sources of concern to the items
specifically mentioned above.

ADDITIONAL INFORMATION

The information has been provided by <mailto:sanguish@digifix.com> Scott
Anguish and <mailto:lgill@allcovered.com> Luke Gill.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages