[NEWS] Mac OS X Cocktail Administrator Password Disclosure

From: SecuriTeam (support_at_securiteam.com)
Date: 05/01/05

  • Next message: SecuriTeam: "[TOOL] dltrace - Portable Dynamic Library Call Tracer" 
    To: list@securiteam.com
Date: 1 May 2005 17:47:09 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mac OS X Cocktail Administrator Password Disclosure
    ------------------------------------------------------------------------

    SUMMARY

    " <www.macosxcocktail.com> Cocktail is a general purpose utility for Mac
    OS X. The application serves up a scrumptious mix of maintenance tools and
    interface tweaks, all accessible via a comprehensive graphical interface
    and toolset. It is a smooth and powerful utility that simplifies the use
    of advanced UNIX functions."

    Cocktail passes administrator password in an insecure way, i.e. simply
    revealing it to local system users. Exploiting this vulnerability may lead
    to privilege escalation by a local user.

    DETAILS

    Vulnerable Systems:
     * Mac OS X Cocktail version 3.5.4

    Immune Systems:
     * Mac OS X Cocktail version 3.6

    Since cocktail needs administrative privileges the user is prompted for
    the administrative password upon the startup of the product.

    The maintenance of the product is done by command line utilities that are
    executed in an insecure manner:
    1. Cocktail creates a new process
    2. Lets /bin/sh pipe the administrative password using echo into sudo
    3. Then it will execute the utility

    Which will result in the following command being created:
    sh -c echo 'PASSWORD' | sudo -p "" -S sudo update_prebinding -root /

    Exploitation:
    By knowing that Cocktail is waiting for some UNIX utility to finish its
    work, execute "ps ax" on the terminal and search for the password.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sonderling@hushmail.com>
    sonderling.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[TOOL] dltrace - Portable Dynamic Library Call Tracer"