| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 17 Sep 2004 17:15:28 +0800 From: Matt Johnston <matt@....asn.au> To: bugtraq@...urityfocus.com Subject: RsyncX vulnerabilities Product: RsyncX is a frontend for rsync running on OS X, with additional features such as crontab editing. http://www.macosxlabs.org/rsyncx/rsyncx.html Problems: 1) RsyncX is installed setuid root and setgid wheel. Upon execution, the program drops root privileges (only via seteuid(getuid()) ). However it does not drop wheel-group privileges. This allows any user to execute arbitrary programs with egid=wheel. I assume it's also vulnerable to other attacks given it doesn't totally drop root privileges, though I didn't investigate that. Since "defaults" is run according to the user's path, System\ Preferences.app can be replaced with an arbitrary program as follows: First, make a backup of System\ Preferences.app Create an executable file ~/bin/defaults with contents of: ============================= #!/bin/sh mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont" cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents" ============================= Then run RsyncX with ~/bin in your path: PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX Click on System Preferences, and is now a calculator. 2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be user-controlled. When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp is insecurely used. A user can create a dir /tmp/blahdir, then ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp After RsyncX scheduler is used by an admin, /etc/crontab will become a symlink pointing to /tmp/blahdir/file. /tmp/blahdir is controlled by the user. Issues probably also exist with the "chown root; chmod u+s" on that file - I haven't fully investigated that. Workarounds: For setuid/setgid issues, change permissions on RsyncX so that it is only executable by admins, or not installed setuid or setgid. For the /tmp insecurity, don't use the RsyncX scheduler. Versions: RsyncX 2.1 was tested. Developer Response: Regarding the failure to drop gid=wheel, I was told that the program uses Apple Security Services to control authorized access, and that "any admin can gain root privs in OS X". I received no response when I confirmed that it was _any_ user, not just admins. With the /tmp insecurity, I was told that there are a few bugs in the scheduler. These were reported to the developer on 8 Sept 2004. Matt Johnston matt ucc.asn.au
Powered by blists - more mailing lists