MacOS X TruBlueEnvironment Buffer Overflow

From: _at_stake Advisories (_at_stake)
Date: 01/29/04

  • Next message: pask_at_open3s.com: "----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------"
    Date: Wed, 28 Jan 2004 22:20:46 -0500
    To: bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

                                    @stake, Inc.
                                  www.atstake.com

                                Security Advisory

    Advisory Name: TruBlueEnvironment Buffer Overflow
     Release Date: 01/27/2004
      Application: TruBlueEnvironment
         Platform: Mac OS X 10.3.x and 10.2.x
         Severity: A user with an account on the system can become root
           Author: Dave G. <daveg@atstake.com>
    Vendor Status: Notified, Patch Issued
    CVE Candidate: CAN-2004-0089 TruBlueEnvironment Buffer Overflow
        Reference: www.atstake.com/research/advisories/2004/a012704-1.txt

    Overview:

    TruBlueEnvironment is part of the MacOS Classic Emulator. It is
    setuid root and installed by default. There is a buffer overflow
    vulnerability that allows a user with interactive access to escalate
    privileges to root.

    Details:

    TruBlueEnvironment takes the value of an environment variable and
    copies it into a buffer without performing any bounds checking. Since
    this buffer is stored on the stack, it is possible to overwrite the
    return stack frame and execute arbitrary code as root.

    Vendor Response:

    This is fixed in Security Update 2004-01-26. Further information
    about this update is available via:

    http://docs.info.apple.com/article.html?artnum=61798

    Recommendation:

    Restrict access to the TruBlueEnvironment(*) executable, or remove
    it entirely if it is not being used. One approach to restricting
    access would be to remove global execute permissions from the
    TruBlueEnvironment executable, and only allow a specific group to
    execute the application. The following commands will restrict access
    to the 'admin' group:

    sudo chown .admin
    /System/Library/CoreServices/Classic\
    Startup.app/Contents/Resources/TruBlueEnvironment

    sudo chmod 4750
    /System/Library/CoreServices/Classic\
    Startup.app/Contents/Resources/TruBlueEnvironment

    (*) Located in
    /System/Library/CoreServices/Classic\
    Startup.app/Contents/Resources/TruBlueEnvironment

    Common Vulnerabilities and Exposures (CVE) Information:

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    the following names to these issues. These are candidates for
    inclusion in the CVE list (http://cve.mitre.org), which standardizes
    names for security problems.

     CAN-2004-0089 TruBlueEnvironment Buffer Overflow

    @stake Vulnerability Reporting Policy:
    http://www.atstake.com/research/policy/

    @stake Advisory Archive:
    http://www.atstake.com/research/advisories/

    PGP Key:
    http://www.atstake.com/research/pgp_key.asc

    Copyright 2004 @stake, Inc. All rights reserved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

    iQA/AwUBQBh7qke9kNIfAm4yEQL2dQCeMd/Dje0rfRwenO9eKdVVqw5hbTsAniz3
    bVqnpAekJOKpfwL2+fFdQsAp
    =Be1Y
    -----END PGP SIGNATURE-----


  • Next message: pask_at_open3s.com: "----------========== OPEN3S-2003-08-08-eng-informix-ontape ==========----------"