[NEWS] Mac OS X Systemic Insecure File Permissions

From: SecuriTeam (support_at_securiteam.com)
Date: 10/29/03

  • Next message: SecuriTeam: "[UNIX] KPopup Allows Gaining of Elevated Privileges (Insecure system())" 
    To: list@securiteam.com
Date: 29 Oct 2003 15:09:46 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mac OS X Systemic Insecure File Permissions
    ------------------------------------------------------------------------

    SUMMARY

    Many applications are installed onto Mac OS X systems with insecure file
    permissions. This is due to two distinct classes of problems:
     1) a security issue regarding DMG files managed by Mac OS X
     2) insecure file permissions packaged by different vendors

    The result is that many of the files and directories that compose various
    applications are globally writable. This allows attackers with filesystem
    access to an OS X machine to replace binaries and obtain additional
    privileges from unsuspecting users, who may run the replaced version of
    the binary.

    DETAILS

    Vulnerable systems:
     * Mac OS X 10.2.8 and prior

    Immune systems:
     * Mac OS X 10.3

    Issue #1: DMG File Permissions
    Mac OS X will reset permissions on directories dragged off a DMG to global
    read/write/execute when they are dragged off the disk image. It will
    exhibit the same behavior when dragging folders onto a mounted DMG. This
    resetting does not appear to occur on files, only directories. Since these
    directories contain application binaries, attackers with interactive
    access to a Mac OS X system can overwrite many applications with Trojan
    binaries. These Trojan binaries would escalate the privileges of the
    attacker to the privileges of the unsuspecting user who ran them.

    Issue #2: Incorrect Vendor-Specified File Permissions
    Many Mac OS X vendors, both large and small, package and ship applications
    with insecure file permissions. World writable files have included:
     1) Application and support executables
     2) Directories
     3) Shared objects
     4) Configuration files
     5) HTML and JavaScript

    Typically, these files have existed within the following directories (but
    not exclusively):
     1) /Applications
     2) /Library/Application Support
     3) /Library/StartupItems

    The number of vendors affected by this is large, and individual
    applications affected are not provided within this advisory. However, the
    recommendations section provides a UNIX command that can be used to
    identify insecure file permissions.

    Vendor Response:
    This is fixed in Mac OS X 10.3 where Finder will preserve the permissions
    on copied folders. For any existing folders, it is possible to manually
    change the permissions to the desired setting through the Get Info command
    in the File menu of the Finder, then modifying the "Ownership &
    Permissions" settings for the selected folder or file. Disk Utility, found
    in /Applications/Utilities is also helpful in setting system-wide folder
    permissions via the "Repair Disk Permissions" button.

    For further information on Mac OS X 10.3, please see
    <http://www.apple.com/macosx/> http://www.apple.com/macosx/.

    Recommendations:
    1) Review the file and directory permissions in the following directories:
    /Applications, /Library/Application Support and /Library/StartupItems.

    While it may make sense to remove global write permissions on all
    directories in /Applications, this may break the functionality of certain
    applications. To attempt this, execute the following command from within
    Terminal.app:
     find /Applications -type d -exec chmod o-w {} \;

    Warning: this command may break certain applications.

    2) Upgrade to Panther (Mac OS X 10.3).

    3) When installing applications, use the UNIX cp(1) command.

    ADDITIONAL INFORMATION

    The original advisory can be downloaded from:
    <http://www.atstake.com/research/advisories/2003/a102803-2.txt>
    http://www.atstake.com/research/advisories/2003/a102803-2.txt.

    The information has been provided by <mailto:daveg@atstake.com> Dave G.
    of @Stake.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] KPopup Allows Gaining of Elevated Privileges (Insecure system())"
    • Quantcast