[NEWS] Mac OS X Arbitrary File Overwrite via Core Files

From: SecuriTeam (support_at_securiteam.com)
Date: 10/29/03

  • Next message: SecuriTeam: "[NEWS] Mac OS X Long argv[] Buffer Overflow" 
    To: list@securiteam.com
Date: 29 Oct 2003 15:04:16 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mac OS X Arbitrary File Overwrite via Core Files
    ------------------------------------------------------------------------

    SUMMARY

    In the event a system is running with core files enabled, attackers with
    interactive shell access can overwrite arbitrary files, and read core
    files created by root owned processes. This may result in sensitive
    information like authentication credentials being compromised.

    DETAILS

    Vulnerable systems:
     * Mac OS X version 10.2.8 and prior

    Immune systems:
     * Mac OS X version 10.3

    Core file creation is disabled by default in Mac OS X. In the event that
    core files are enabled on an Mac OS X system, root owned processes will
    write a core file to the /cores directory. The name of the core file will
    be: core.PID(*). This file will be owned by root, and is set with 0400
    permissions (read only for root, no privileges for anyone else).

    (*) PID would be the process ID of the process that dumped core

    Since the /cores directory is world writable and core file names are
    predictable, an attacker with interactive shell access can create symbolic
    links in this directory, pointing them to files that exist elsewhere on
    the file system. Through this mechanism, we can overwrite files by
    symbolically linking to them.

    At this point, an attacker can overwrite any file with the contents of a
    core file. In order to read the core files, one can make a symbolic link
    to a file on a mounted DMG image. Any user can mount a disk image,
    allowing them to effectively 'steal' core files. Depending on what was in
    the memory of the process that dumped core, an attacker may be able to
    find out private information, including authentication credentials.

    Vendor Response:
    This is fixed in Mac OS X 10.3. The core files setting are off by default
    on all shipping versions of Mac OS X. For further information on Mac OS X
    10.3, please see <http://www.apple.com/macosx/>
    http://www.apple.com/macosx/.

    Recommendation:
    1) Upgrade to Panther (Mac OS X 10.3).

    2) If upgrading to Panther is not an option, ensure that core file
    creation is disabled.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://www.atstake.com/research/advisories/2003/a102803-1.txt>
    http://www.atstake.com/research/advisories/2003/a102803-1.txt.

    The information has been provided by <mailto:daveg@atstake.com> Dave G.
    of @Stake.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Mac OS X Long argv[] Buffer Overflow"

    Relevant Pages