Mac OS X prior to v10.3, if running with core files enabled, allows local attackers with shell access to overwrite any file and read core files created by root owned processes.
55cac7ecd548a05acacef22ad370bb0adceada6e580cad95af9f0d9d18d3a9cc
@stake, Inc.
www.atstake.com
Security Advisory
Advisory Name: Arbitrary File Overwrite via Core Files
Release Date: 10/24/2003
Application: Kernel
Platform: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G. <daveg@atstake.com>
Vendor Status: Vendor has new release with fix
CVE Candidate: CAN-2003-0877
Reference: www.atstake.com/research/advisories/2003/a102803-1.txt
Overview:
In the event a system is running with core files enabled,
attackers with interactive shell access can overwrite arbitrary
files, and read core files created by root owned processes. This
may result in sensitive information like authentication credentials
being compromised.
Details:
Core file creation is disabled by default in Mac OS X. In the event
that core files are enabled on an Mac OS X system, root owned
processes will write a core file to the /cores directory. The name
of the core file will be: core.PID(*). This file will be owned by
root, and is set with 0400 permissions (read only for root, no
privileges for anyone else).
(*) PID would be the process ID of the process that dumped core
Since the /cores directory is world writable and core file names are
predictable, an attacker with interactive shell access can create
symbolic links in this directory, pointing them to files that exist
elsewhere on the file system. Through this mechanism, we can
overwrite files by symbolically linking to them.
At this point, an attacker can overwrite any file with the contents
of a core file. In order to read the core files, one can make a
symbolic link to a file on a mounted DMG image. Any user can mount
a disk image, allowing them to effectively 'steal' core files.
Depending on what was in the memory of the process that dumped core,
an attacker may be able to find out private information, including
authentication credentials.
Vendor Response:
This is fixed in Mac OS X 10.3. The core files setting is off by
default on all shipping versions of Mac OS X. For further information
on Mac OS X 10.3, please see http://www.apple.com/macosx/
Recommendation:
1) Upgrade to Panther (Mac OS X 10.3).
2) If upgrading to Panther is not an option, ensure that core file
creation is disabled.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2003-0877 If a system is running with core files enabled,
attackers with interactive shell access can
overwrite arbitrary files, and read core files
created by root owned processes. This may result
in sensitive information such as authentication
credentials being compromised.
@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/
@stake Advisory Archive:
http://www.atstake.com/research/advisories/
PGP Key:
http://www.atstake.com/research/pgp_key.asc
Copyright 2003 @stake, Inc. All rights reserved.
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed