lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040917091528.GO369566@morwong.ucc.gu.uwa.edu.au>
Date: Fri, 17 Sep 2004 17:15:28 +0800
From: Matt Johnston <matt@....asn.au>
To: bugtraq@...urityfocus.com
Subject: RsyncX vulnerabilities


Product: RsyncX is a frontend for rsync running on OS X,
with additional features such as crontab editing.

http://www.macosxlabs.org/rsyncx/rsyncx.html

Problems:

1) RsyncX is installed setuid root and setgid wheel.

Upon execution, the program drops root privileges (only via
seteuid(getuid()) ). However it does not drop wheel-group
privileges. This allows any user to execute arbitrary
programs with egid=wheel. I assume it's also vulnerable to
other attacks given it doesn't totally drop root privileges,
though I didn't investigate that.

Since "defaults" is run according to the user's path,
System\ Preferences.app can be replaced with an arbitrary
program as follows:

First, make a backup of System\ Preferences.app

Create an executable file ~/bin/defaults with contents of:

=============================
#!/bin/sh                                                                       
mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents"
=============================

Then run RsyncX with ~/bin in your path:

PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX

Click on System Preferences, and is now a calculator.

2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be
user-controlled.

When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp
is insecurely used. A user can create a dir /tmp/blahdir,
then 
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp

After RsyncX scheduler is used by an admin, /etc/crontab
will become a symlink pointing to /tmp/blahdir/file.
/tmp/blahdir is controlled by the user. Issues probably also
exist with the "chown root; chmod u+s" on that file - I
haven't fully investigated that.



Workarounds:

For setuid/setgid issues, change permissions on RsyncX so
that it is only executable by admins, or not installed
setuid or setgid.

For the /tmp insecurity, don't use the RsyncX scheduler.

Versions:

RsyncX 2.1 was tested.

Developer Response:

Regarding the failure to drop gid=wheel, I was told that the
program uses Apple Security Services to control authorized
access, and that "any admin can gain root privs in OS X". I
received no response when I confirmed that it was _any_
user, not just admins.

With the /tmp insecurity, I was told that there are a few
bugs in the scheduler. 

These were reported to the developer on 8 Sept 2004.


Matt Johnston 
matt ucc.asn.au



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ