[VulnWatch] MacOS X DirectoryService Privilege Escalation (a041003-1)
From: @stake Advisories (@stake)
Date: 04/10/03
- Previous message: labs@idefense.com: "[VulnWatch] iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration (ISA) S"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Apr 2003 16:49:17 -0400 From: "@stake Advisories" <advisories@atstake.com> To: vulnwatch@vulnwatch.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: MacOS X DirectoryService Privilege Escalation
and DoS Attack
Release Date: 04/10/2003
Application: /usr/sbin/DirectoryService
Platform: MacOS X (10.2.4 and below)
Severity: Local users can gain root privileges
Remote users may be able to crash
DirectoryService
Author: Dave G. <daveg@atstake.com>
Vendor Status: Notified, Patch Available
CVE Candidate: CAN-2003-0171
Reference: www.atstake.com/research/advisories/2003/a041003-1.txt
Overview:
DirectoryServices is part of the MacOS X information and
authentication subsystem. It is launched at startup, setuid root
and installed by default. It is vulnerable to several attacks
ultimately allowing a local user to obtain root privileges.
Details:
During the startup of DirectoryService, the application creates a
lock file by executing the touch(1) UNIX command. It executes touch
through the system() libc function. This function is inherently
insecure and its use is strongly discouraged in privileged
applications.
Since this call to system() does not specify a full path to the
touch(1) command, it is possible for an attacker to modify the PATH
environment variable to specify a directory containing her own
version of the touch(1) command. In this instance, this would cause
DirectoryService to execute arbitrary commands as root.
In order for an attacker to exploit this vulnerability, they must
first cause DirectoryServices to terminate. This can be done by
simply connecting to port 625 repeatedly using an automated program.
Timeline:
03/25/2003 Apple notified via email.
03/28/2003 Apple verified.
04/10/2003 Coordinated release.
Vendor Response:
Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege
Escalation and DoS Attack. DirectoryService is part of the Mac OS X
and Mac OS X Server information services subsystem. It is launched
at startup, setuid root and installed by default. It is possible
for a local attacker to modify an environment variable that would
allow the execution of arbitrary commands as root. Credit to Dave
G. from @stake, Inc. for the discovery of this vulnerability.
@stake Recommendation:
@stake recommends that user upgrade to Mac OS X 10.2.5.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0171 Directory Services Privilege Escalation and DoS
Attack
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive: http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.
Copyright 2003 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
iQA/AwUBPpXYnUe9kNIfAm4yEQKfvgCfdz/zWZNmw0tzZMjeS2/x3D9bGXEAoKv6
NbFuweVUSzwEJRMUIwodX+9g
=gfqg
-----END PGP SIGNATURE-----
