[NEWS] Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 27 May 2007 18:06:33 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation
Apple Mac OS X
<http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/pppd.8.html> pppd is "a setuid root application that is used to establish and configure connections for point to point links. It is commonly used for configuring traditional dial-up modem and DSL connections".
Local exploitation of a privilege escalation vulnerability in Apple
Computer Inc.'s Mac OS X pppd could allow an attacker to gain root
* pppd in version 10.4.8 of Mac OS X.
* Other versions may also be affected.
The vulnerability exists due to insufficient access validation when
processing the "plugin" command line option. The application does not
properly verify that the requesting user has root privileges and allows
any user to load plug-ins.
When checking to see if the executing user has root privileges, a check is
made to see if the stdin file descriptor is owned by root. Passing this
check is trivial and allows the attacker to load arbitrary plug-ins
resulting in arbitrary code execution with root privileges.
Exploitation is trivial and grants root access.
This vulnerability cannot be triggered remotely; an attacker needs local
access to the victim's system in order to exploit this vulnerability. pppd
is installed by default.
Remove the setuid bit from the pppd binary. This will prevent users
without root privileges from being able to properly use the program.
Apple Inc has addressed this vulnerability in Apple Security Update
2007-005. More information can be found from Apple's Security Update page
or the Security Update 2007-005 advisory page at the respective URLs
* 01/08/2007 - Initial vendor notification
* 01/09/2007 - Initial vendor response
* 05/24/2007 - Coordinated public disclosure
The information has been provided by iDefense.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Opera Software Opera Web Browser Transfer Item Pop-up Menu Stack Overflow Vulnerability
- Previous by thread: [NT] Opera Software Opera Web Browser Transfer Item Pop-up Menu Stack Overflow Vulnerability