lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 26 Nov 2007 11:47:07 -0500
From: "Kevin Finisterre (lists)" <kf_lists@...italmunition.com>
To: David Wharton <security@...idwharton.us>
Cc: techsupport@...apelabs.com, Untitled <full-disclosure@...ts.grok.org.uk>
Subject: Re: oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8
	for MyTV.PVR allows local authentication bypass and root
	access on Apple Mac OS X

I don't recall off the top of my head what they were but there are  
other ways to use this program to obtain root. I believe the scheduled  
recording can be used to leverage root if I remember correctly.
-KF

On Nov 26, 2007, at 10:15 AM, David Wharton wrote:

> Version 1.0
> October 1996
> 			CERT(R) Coordination Center
> 		Product Vulnerability Reporting Form
>
> CONTACT INFORMATION
> = 
> = 
> ======================================================================
> =======
>
>  Name			: David Wharton
>  E-mail			: security@...idwharton.us
>  Phone / fax		:
>  Affiliation and address: Information Security Graduate Student at
> Georgia Tech (http://www.cc.gatech.edu/education/grad/ms-infosec)
>
>
> Have you reported this to the vendor?  [yes/no] yes
>
>         If so, please let us know whom you've contacted:
>
> 	Date of your report	: 5 Apr 2007
> 	Vendor contact name	: Pedro Muniz
> 	Vendor contact phone	:
> 	Vendor contact e-mail	: techsupport@...apelabs.com (April 5, 2007),
> pmuniz@...ppauge.com (April 18, 2007, May 10, 2007)
> 	Vendor reference number	:
>
>
> POLICY INFO
> = 
> = 
> ======================================================================
> =======
> We encourage communication between vendors and their customers.  When
> we forward a report to the vendor, we include the reporter's name and
> contact information unless you let us know otherwise.
>
> If you want this report to remain anonymous, please check here:
>
> 	___ Do not release my identity to your vendor contact.
>
>
> TECHNICAL INFO
> = 
> = 
> ======================================================================
> =======
> If there is a CERT Vulnerability tracking number please put it
> here (otherwise leave blank): VU#______.
>
>
> Please describe the vulnerability.
> Summary:
> MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication
> bypass and root access on Apple Mac OS X.
>
> Details:
> MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR is the software that ships
> with MyTV, a Personal Video Recorder (PVR) manufactured by Escape
> Labs (http://www.eskapelabs.com/mytv.html).  MyTV.PVR is an external
> hardware device that connects to a computer via USB.  The PVR
> hardware can receive infrared signals and this is designed to support
> input from a channel changer.  However, when a computer running MyTV/
> x version 3.6.6 or 4.0.8 on Apple Mac OS X (I have confirmed this is
> true for 10.4.9-10.4.11 but dot not know about other versions of OS
> X) starts up, a local user can, without authenticating, cause the
> MyTV/x software to launch as root.  When the program launches, it
> brings up the MyTV/x menus along with the Apple menu.  From the Apple
> menu, you can open up System Preferences and because you are running
> as root, you can add (and remove) users, including Administrators.
> After fooling around with it, I was able to get to the Finder, open a
> shell, and verify that root access had been gained.
>
> Steps To Reproduce:
> 1) Install MyTV/x Version 3.6.6 or 4.0.8 and attach (and power on)
> MyTV.PVR.
> 2) (Re)boot.
> 3) When the authentication "window" comes up asking you to log in to
> OS X, point the channel changer (this is included with MyTV.PVR) at
> the PVR device and press the "Power" button.
> 4) MyTV/x launches (as root) and gives access to the Apple menu which
> gives access to the entire computer.
>
> What is the impact of this vulnerability?
> - -----------------------------------------
>
>    a) What is the specific impact:
> 	Local user can gain root access without doing any authentication
>    b) How would you envision it being used in an attack scenario:
> 	Well, you have to have physical access and be running the vulnerable
> software as well as its associated hardware but if the situation is
> right, root access can be gained and then there are a myriad of
> possibilities....
>
> To your knowledge is the vulnerability currently being exploited?
> - -----------------------------------------------------------------
> 	[yes/no] no
>
> If there is an exploitation script available, please include it here.
> -  
> ---------------------------------------------------------------------
>
> Do you know what systems and/or configurations are vulnerable?
> - --------------------------------------------------------------
> 	[yes/no]  (If yes, please list them below)
> 	
> 	yes
> 	
> 	System		: Apple Mac
> 	OS version	: 10.4.9, 10.4.11
> 	Verified/Guessed: verified 10.4.9, 10.4.10, 10.4.11, guessed 10.x
>
> 	Software: MyTV/x Version 3.6.6 (http://www.eskapelabs.com/files/CD-
> MYPVR-V1.4.dmg.gz)
> 		  MyTV/x Version 4.0.8
>
> Are you aware of any workarounds and/or fixes for this vulnerability?
> -  
> ---------------------------------------------------------------------
> 	[yes/no] (If you have a workaround or are aware of patches
> 	      please include the information here.)
> no
>
>
> OTHER INFORMATION
> = 
> = 
> ======================================================================
> ===
> Is there anything else you would like to tell us?
>
> Some pictures of root access without authenticating are available
> upon request.  I spoke with Apple about this vulnerability and they
> said, "Mac OS X applications running as root are allowed to display
> UI even when no user is logged in."  Apple encouraged me to continue
> to work with CERT and Escape Labs on this issue.
>
> - --------
> CERT and CERT Coordination Center are registered in the U.S. Patent
> and Trademark office.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ