lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <7AD31023-937B-471E-A067-E20DBF5C783B@davidwharton.us>
Date: Mon, 26 Nov 2007 10:15:33 -0500
From: David Wharton <security@...idwharton.us>
To: full-disclosure@...ts.grok.org.uk
Subject: oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8 for
	MyTV.PVR allows local authentication bypass and root access
	on Apple Mac OS X

Version 1.0
October 1996
			CERT(R) Coordination Center
		Product Vulnerability Reporting Form

CONTACT INFORMATION
======================================================================== 
=======

  Name			: David Wharton
  E-mail			: security@...idwharton.us
  Phone / fax		:
  Affiliation and address: Information Security Graduate Student at  
Georgia Tech (http://www.cc.gatech.edu/education/grad/ms-infosec)


Have you reported this to the vendor?  [yes/no] yes

         If so, please let us know whom you've contacted:

	Date of your report	: 5 Apr 2007
	Vendor contact name	: Pedro Muniz
	Vendor contact phone	:
	Vendor contact e-mail	: techsupport@...apelabs.com (April 5, 2007),  
pmuniz@...ppauge.com (April 18, 2007, May 10, 2007)
	Vendor reference number	:


POLICY INFO
======================================================================== 
=======
We encourage communication between vendors and their customers.  When
we forward a report to the vendor, we include the reporter's name and
contact information unless you let us know otherwise.

If you want this report to remain anonymous, please check here:

	___ Do not release my identity to your vendor contact.


TECHNICAL INFO
======================================================================== 
=======
If there is a CERT Vulnerability tracking number please put it
here (otherwise leave blank): VU#______.


Please describe the vulnerability.
Summary:
MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication  
bypass and root access on Apple Mac OS X.

Details:
MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR is the software that ships  
with MyTV, a Personal Video Recorder (PVR) manufactured by Escape  
Labs (http://www.eskapelabs.com/mytv.html).  MyTV.PVR is an external  
hardware device that connects to a computer via USB.  The PVR  
hardware can receive infrared signals and this is designed to support  
input from a channel changer.  However, when a computer running MyTV/ 
x version 3.6.6 or 4.0.8 on Apple Mac OS X (I have confirmed this is  
true for 10.4.9-10.4.11 but dot not know about other versions of OS  
X) starts up, a local user can, without authenticating, cause the  
MyTV/x software to launch as root.  When the program launches, it   
brings up the MyTV/x menus along with the Apple menu.  From the Apple  
menu, you can open up System Preferences and because you are running  
as root, you can add (and remove) users, including Administrators.   
After fooling around with it, I was able to get to the Finder, open a  
shell, and verify that root access had been gained.

Steps To Reproduce:
1) Install MyTV/x Version 3.6.6 or 4.0.8 and attach (and power on)  
MyTV.PVR.
2) (Re)boot.
3) When the authentication "window" comes up asking you to log in to  
OS X, point the channel changer (this is included with MyTV.PVR) at  
the PVR device and press the "Power" button.
4) MyTV/x launches (as root) and gives access to the Apple menu which  
gives access to the entire computer.

What is the impact of this vulnerability?
- -----------------------------------------

    a) What is the specific impact:
	Local user can gain root access without doing any authentication
    b) How would you envision it being used in an attack scenario:
	Well, you have to have physical access and be running the vulnerable  
software as well as its associated hardware but if the situation is  
right, root access can be gained and then there are a myriad of  
possibilities....

To your knowledge is the vulnerability currently being exploited?
- -----------------------------------------------------------------
	[yes/no] no

If there is an exploitation script available, please include it here.
- ---------------------------------------------------------------------

Do you know what systems and/or configurations are vulnerable?
- --------------------------------------------------------------
	[yes/no]  (If yes, please list them below)
	
	yes
	
	System		: Apple Mac
	OS version	: 10.4.9, 10.4.11
	Verified/Guessed: verified 10.4.9, 10.4.10, 10.4.11, guessed 10.x

	Software: MyTV/x Version 3.6.6 (http://www.eskapelabs.com/files/CD- 
MYPVR-V1.4.dmg.gz)
		  MyTV/x Version 4.0.8

Are you aware of any workarounds and/or fixes for this vulnerability?
- ---------------------------------------------------------------------
	[yes/no] (If you have a workaround or are aware of patches
	      please include the information here.)
no


OTHER INFORMATION
======================================================================== 
===
Is there anything else you would like to tell us?

Some pictures of root access without authenticating are available  
upon request.  I spoke with Apple about this vulnerability and they  
said, "Mac OS X applications running as root are allowed to display  
UI even when no user is logged in."  Apple encouraged me to continue  
to work with CERT and Escape Labs on this issue.

- --------
CERT and CERT Coordination Center are registered in the U.S. Patent  
and Trademark office.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ