lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3E95D976.9030003@atstake.com>
Date: Thu, 10 Apr 2003 16:52:06 -0400
From: "@stake Advisories" <advisories@...take.com>
To: bugtraq@...urityfocus.com
Subject: MacOS X DirectoryService Privilege Escalation (a041003-1)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: MacOS X DirectoryService Privilege Escalation
               and DoS Attack
 Release Date: 04/10/2003
  Application: /usr/sbin/DirectoryService
     Platform: MacOS X (10.2.4 and below)
     Severity: Local users can gain root privileges
               Remote users may be able to crash
               DirectoryService
       Author: Dave G. <daveg@...take.com>
Vendor Status: Notified, Patch Available
CVE Candidate: CAN-2003-0171
    Reference: www.atstake.com/research/advisories/2003/a041003-1.txt


Overview:

DirectoryServices is part of the MacOS X information and
authentication subsystem.  It is launched at startup, setuid root
and installed by default.  It is vulnerable to several attacks
ultimately allowing a local user to obtain root privileges.
       

Details:

During the startup of DirectoryService, the application creates a
lock file by executing the touch(1) UNIX command.  It executes touch
through the system() libc function.  This function is inherently
insecure and its use is strongly discouraged in privileged
applications.  

Since this call to system() does not specify a full path to the
touch(1) command, it is possible for an attacker to modify the PATH
environment variable to specify a directory containing her own
version of the touch(1) command.  In this instance, this would cause
DirectoryService to execute arbitrary commands as root.

In order for an attacker to exploit this vulnerability, they must
first cause DirectoryServices to terminate.  This can be done by
simply connecting to port 625 repeatedly using an automated program.


Timeline:

03/25/2003 Apple notified via email.
03/28/2003 Apple verified.
04/10/2003 Coordinated release.


Vendor Response:

Directory Services:  Fixes CAN-2003-0171 DirectoryServices Privilege
Escalation and DoS Attack.  DirectoryService is part of the Mac OS X
and Mac OS X Server information services subsystem.  It is launched
at startup, setuid root and installed by default.  It is possible
for a local attacker to modify an environment variable that would
allow the execution of arbitrary commands as root.  Credit to Dave
G. from @stake, Inc. for the discovery of this vulnerability.


@stake Recommendation:

@stake recommends that user upgrade to Mac OS X 10.2.5.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

  CAN-2003-0171  Directory Services Privilege Escalation and DoS
                 Attack


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive: http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@...take.com.

Copyright 2003 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpXYnUe9kNIfAm4yEQKfvgCfdz/zWZNmw0tzZMjeS2/x3D9bGXEAoKv6
NbFuweVUSzwEJRMUIwodX+9g
=gfqg
-----END PGP SIGNATURE-----




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ