Mac OS X Systemic Insecure File Permissions

From: _at_stake Advisories (_at_stake)
Date: 10/28/03

  • Next message: _at_stake Advisories: "Mac OS X Arbitrary File Overwrite via Core Files" 
    Date: Tue, 28 Oct 2003 12:56:37 -0500
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                 Security Advisory

    Advisory Name: Systemic Insecure File Permissions
     Release Date: 10/28/2003
      Application: Finder (Many)
         Platform: Mac OS X 10.2.8 and below
         Severity: High
           Author: Dave G. <daveg@atstake.com>
    Vendor Status: Vendor has new release with fix
    CVE Candidate: CAN-2003-0876
        Reference: www.atstake.com/research/advisories/2003/a102803-1.txt

    Overview:

    Many applications are installed onto Mac OS X systems with insecure
    file permissions. This is due to two distinct classes of problems:

         1) a security issue regarding DMG files managed by Mac OS X
         2) insecure file permissions packaged by different vendors

    The result is that many of the files and directories that compose
    various applications are globally writable. This allows attackers
    with filesystem access to an OS X machine can replace binaries and
    obtain additional privileges from unsuspecting users, who may run
    the replaced version of the binary.

    Issue #1: DMG File Permissions

    Mac OS X will reset permissions on directories dragged off of a DMG
    to global read/write/execute when they are dragged off of the disk
    image. It will exhibits the same behavior when dragging folders onto
    a mounted DMG. This resetting does not appear to occur on files,
    only directories. Since these directories contain application
    binaries, attackers with interactive access to a Mac OS X system can
    overwrite many applications with trojan binaries. These trojan
    binaries would escalate the privileges of the attacker to the
    privileges of the unsuspecting user who ran them.

    Issue #2: Incorrect Vendor-Specified File Permissions

    Many Mac OS X vendors, both large and small, package and ship
    applications with insecure file permissions. World writable files
    have included:

       1) Application and support executables
       2) Directories
       3) Shared objects
       4) Configuration files
       5) HTML and Javascript

    Typically, these files have existed within the following directories
    (but not exclusively):
     
       1) /Applications
       2) /Library/Application Support
       3) /Library/StartupItems

    The number of vendors affected by this is large, and individual
    applications affected are not provided within this advisory. However,
    the recommendations section provides a UNIX command that can be used
    to identify insecure file permissions.

     
    Vendor Response:

    This is fixed in Mac OS X 10.3 where Finder will preserve the
    permissions on copied folders. For any existing folders, it is
    possible to manually change the permissions to the desired setting
    through the Get Info command in the File menu of the Finder, then
    modifying the "Ownership & Permissions" settings for the selected
    folder or file. Disk Utility, found in /Applications/Utilities is
    also helpful in setting system-wide folder permissions via the
    "Repair Disk Permissions" button.

    For further information on Mac OS X 10.3, please see
    http://www.apple.com/macosx/

    Recommendations:

    1) Review the file and directory permissions in the following
       directories: /Applications, /Library/Application Support and
       /Library/StartupItems.

    While it may make sense to remove global write permissions on all
    directories in /Applications, this may break the functionality of
    certain applications. To attempt this, execute the following
    command from within Terminal.app:

         find /Applications -type d -exec chmod o-w {} \;

    Warning: this command may break certain applications.

    2) Upgrade to Panther (Mac OS X 10.3).

    3) When installing applications, use the UNIX cp(1) command.

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

      CAN-2003-0876 Systemic Insecure File Permissions

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    @stake is currently seeking application security experts to fill
    several consulting positions. Applicants should have strong
    application development skills and be able to perform application
    security design reviews, code reviews, and application penetration
    testing. Please send resumes to jobs@atstake.com.

    Copyright 2003 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0

    iQA/AwUBP56reUe9kNIfAm4yEQJO4gCfR32kJ/c7B4RkVqmmuEbi3HypWtYAoMNv
    y0KO2X6Q/h2vtw96FoSY+3Ys
    =iHU+
    -----END PGP SIGNATURE-----

  • Next message: _at_stake Advisories: "Mac OS X Arbitrary File Overwrite via Core Files"
    • Quantcast