what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atstake Security Advisory 03-04-10.1

Atstake Security Advisory 03-04-10.1
Posted Apr 11, 2003
Authored by David Goldsmith, Atstake | Site atstake.com

Atstake Security Advisory A041003-1 - MacOS X DirectoryService, which runs setuid as root, uses a system() to execute the touch command without properly using a full path. Due to this, a local attacker can execute commands as root.

tags | advisory, local, root
SHA-256 | ca8fa585c5c12890f30e767074ee9e77851c6c136557059afdae4911aeae24fd

Atstake Security Advisory 03-04-10.1

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@stake, Inc.
www.atstake.com

Security Advisory

Advisory Name: MacOS X DirectoryService Privilege Escalation
and DoS Attack
Release Date: 04/10/2003
Application: /usr/sbin/DirectoryService
Platform: MacOS X (10.2.4 and below)
Severity: Local users can gain root privileges
Remote users may be able to crash
DirectoryService
Author: Dave G. <daveg@atstake.com>
Vendor Status: Notified, Patch Available
CVE Candidate: CAN-2003-0171
Reference: www.atstake.com/research/advisories/2003/a041003-1.txt


Overview:

DirectoryServices is part of the MacOS X information and
authentication subsystem. It is launched at startup, setuid root
and installed by default. It is vulnerable to several attacks
ultimately allowing a local user to obtain root privileges.


Details:

During the startup of DirectoryService, the application creates a
lock file by executing the touch(1) UNIX command. It executes touch
through the system() libc function. This function is inherently
insecure and its use is strongly discouraged in privileged
applications.

Since this call to system() does not specify a full path to the
touch(1) command, it is possible for an attacker to modify the PATH
environment variable to specify a directory containing her own
version of the touch(1) command. In this instance, this would cause
DirectoryService to execute arbitrary commands as root.

In order for an attacker to exploit this vulnerability, they must
first cause DirectoryServices to terminate. This can be done by
simply connecting to port 625 repeatedly using an automated program.


Timeline:

03/25/2003 Apple notified via email.
03/28/2003 Apple verified.
04/10/2003 Coordinated release.


Vendor Response:

Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege
Escalation and DoS Attack. DirectoryService is part of the Mac OS X
and Mac OS X Server information services subsystem. It is launched
at startup, setuid root and installed by default. It is possible
for a local attacker to modify an environment variable that would
allow the execution of arbitrary commands as root. Credit to Dave
G. from @stake, Inc. for the discovery of this vulnerability.


@stake Recommendation:

@stake recommends that user upgrade to Mac OS X 10.2.5.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

CAN-2003-0171 Directory Services Privilege Escalation and DoS
Attack


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive: http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions. Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing. Please send resumes to jobs@atstake.com.

Copyright 2003 @stake, Inc. All rights reserved.



-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPpXYnUe9kNIfAm4yEQKfvgCfdz/zWZNmw0tzZMjeS2/x3D9bGXEAoKv6
NbFuweVUSzwEJRMUIwodX+9g
=gfqg
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close