| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Aug 2006 10:39:06 +0200 From: Propaganda Support <support@...pagandaprod.com> To: full-disclosure@...ts.grok.org.uk Subject: NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ] Hello list members, I don't consider this to be a legitimate exploit at all, since admin privileges are required to access the Deja Vu preference pane. (It's locked for standard users.) And, of course, any admin user on OS X can become root at any time: % sudo su Password: godard:/tmp root# id uid=0(root) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty), 29(certusers), 8(procview), 5(operator), 9(procmod), 80 (admin), 20(staff) The "attack" depends primarily on the ability to prepend /tmp to $PATH, as shown in this part of Step 2: > netragard-test-1$export PATH=/tmp/:$PATH Even if there is a malicious 'rm' program (for example) sitting inside of /tmp, the 'export' command can only change the $PATH environment variable to prepend /tmp within the current account (actually, only within the current shell session). In other words, if the "attacker" already has an admin user name and password required to use Deja Vu, then they already have the means to become root at any time (see 'sudo su' above). Kind Regards, -jeff -- Jeff Holland http://propagandaprod.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists