lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmME9qvD9durm7iRZUcGRu4xH0aBpyTktZNr9cezm_8uFWg6w@mail.gmail.com> Date: Mon, 13 Aug 2012 17:55:31 +0200 From: "Jason A. Donenfeld" <Jason@...c4.com> To: Richard Miles <richard.k.miles@...glemail.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: OS X Local Root Exploit for Viscosity OpenVPN Client On Mon, Aug 13, 2012 at 5:41 PM, Richard Miles <richard.k.miles@...glemail.com> wrote: > - Calls a file with a suid file without full path? No. > - Allows to create a symbolic link inside > /Applications/Viscosity.app/Contents/Resources/ with the name of > ViscosityHelper? No. > > BTW, this file > /Applications/Viscosity.app/Contents/Resources/ViscosityHelper doesn't exist > by default? Yes, it does exist. When you run Viscosity for the first time, it makes that file SUID. > Also, are the permission at the folder > /Applications/Viscosity.app/Contents/Resources/ week enough to allows anyone > to write on it? I don't know. It doesn't matter for this exploit. > Sorry for dumb question, but what is the real issue here? The SUID binary will execute python code from the directory of the executable, linked, symlinked, or otherwise. Take a look at the exploit. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists