[VulnWatch] Mac OS X Arbitrary File Overwrite via Core Files

From: _at_stake Advisories (_at_stake)
Date: 10/28/03

  • Next message: _at_stake Advisories: "[VulnWatch] Mac OS X Long argv[] buffer overflow"
    Date: Tue, 28 Oct 2003 12:50:44 -0500
    To: vulnwatch@vulnwatch.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                 Security Advisory

    Advisory Name: Arbitrary File Overwrite via Core Files
     Release Date: 10/24/2003
      Application: Kernel
         Platform: Mac OS X
         Severity: High
           Author: Dave G. <daveg@atstake.com>
    Vendor Status: Vendor has new release with fix
    CVE Candidate: CAN-2003-0877
        Reference: www.atstake.com/research/advisories/2003/a102803-1.txt

    Overview:

    In the event a system is running with core files enabled,
    attackers with interactive shell access can overwrite arbitrary
    files, and read core files created by root owned processes. This
    may result in sensitive information like authentication credentials
    being compromised.

          
    Details:

    Core file creation is disabled by default in Mac OS X. In the event
    that core files are enabled on an Mac OS X system, root owned
    processes will write a core file to the /cores directory. The name
    of the core file will be: core.PID(*). This file will be owned by
    root, and is set with 0400 permissions (read only for root, no
    privileges for anyone else).

    (*) PID would be the process ID of the process that dumped core

    Since the /cores directory is world writable and core file names are
    predictable, an attacker with interactive shell access can create
    symbolic links in this directory, pointing them to files that exist
    elsewhere on the file system. Through this mechanism, we can
    overwrite files by symbolically linking to them.

    At this point, an attacker can overwrite any file with the contents
    of a core file. In order to read the core files, one can make a
    symbolic link to a file on a mounted DMG image. Any user can mount
    a disk image, allowing them to effectively 'steal' core files.
    Depending on what was in the memory of the process that dumped core,
    an attacker may be able to find out private information, including
    authentication credentials.

    Vendor Response:

    This is fixed in Mac OS X 10.3. The core files setting is off by
    default on all shipping versions of Mac OS X. For further information
    on Mac OS X 10.3, please see http://www.apple.com/macosx/

    Recommendation:

    1) Upgrade to Panther (Mac OS X 10.3).

    2) If upgrading to Panther is not an option, ensure that core file
       creation is disabled.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2003-0877 Arbitrary File Overwrite via Core Files

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBP56rB0e9kNIfAm4yEQKJ7wCghP3WUFHVqqKG0xH7HB5GsXszzPcAnjTP
    G81GJMSVIJ/OqGs1QaowRNne
    =DZwD
    -----END PGP SIGNATURE-----


  • Next message: _at_stake Advisories: "[VulnWatch] Mac OS X Long argv[] buffer overflow"