what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-04-10.1

Atstake Security Advisory 03-04-10.1
Posted Apr 11, 2003
Authored by David Goldsmith, Atstake | Site atstake.com

Atstake Security Advisory A041003-1 - MacOS X DirectoryService, which runs setuid as root, uses a system() to execute the touch command without properly using a full path. Due to this, a local attacker can execute commands as root.

tags | advisory, local, root
SHA-256 | ca8fa585c5c12890f30e767074ee9e77851c6c136557059afdae4911aeae24fd

Atstake Security Advisory 03-04-10.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: MacOS X DirectoryService Privilege Escalation
and DoS Attack
Release Date: 04/10/2003
Application: /usr/sbin/DirectoryService
Platform: MacOS X (10.2.4 and below)
Severity: Local users can gain root privileges
Remote users may be able to crash
DirectoryService
Author: Dave G. <daveg@atstake.com>
Vendor Status: Notified, Patch Available
CVE Candidate: CAN-2003-0171
Reference: www.atstake.com/research/advisories/2003/a041003-1.txt


Overview:

DirectoryServices is part of the MacOS X information and
authentication subsystem. It is launched at startup, setuid root
and installed by default. It is vulnerable to several attacks
ultimately allowing a local user to obtain root privileges.


Details:

During the startup of DirectoryService, the application creates a
lock file by executing the touch(1) UNIX command. It executes touch
through the system() libc function. This function is inherently
insecure and its use is strongly discouraged in privileged
applications.

Since this call to system() does not specify a full path to the
touch(1) command, it is possible for an attacker to modify the PATH
environment variable to specify a directory containing her own
version of the touch(1) command. In this instance, this would cause
DirectoryService to execute arbitrary commands as root.

In order for an attacker to exploit this vulnerability, they must
first cause DirectoryServices to terminate. This can be done by
simply connecting to port 625 repeatedly using an automated program.


Timeline:

03/25/2003 Apple notified via email.
03/28/2003 Apple verified.
04/10/2003 Coordinated release.


Vendor Response:

Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege
Escalation and DoS Attack. DirectoryService is part of the Mac OS X
and Mac OS X Server information services subsystem. It is launched
at startup, setuid root and installed by default. It is possible
for a local attacker to modify an environment variable that would
allow the execution of arbitrary commands as root. Credit to Dave
G. from @stake, Inc. for the discovery of this vulnerability.


@stake Recommendation:

@stake recommends that user upgrade to Mac OS X 10.2.5.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0171 Directory Services Privilege Escalation and DoS
Attack


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive: http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpXYnUe9kNIfAm4yEQKfvgCfdz/zWZNmw0tzZMjeS2/x3D9bGXEAoKv6
NbFuweVUSzwEJRMUIwodX+9g
=gfqg
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close