Product: RsyncX is a frontend for rsync running on OS X,
with additional features such as crontab editing.

http://www.macosxlabs.org/rsyncx/rsyncx.html

Problems:

1) RsyncX is installed setuid root and setgid wheel.

Upon execution, the program drops root privileges (only via
seteuid(getuid()) ). However it does not drop wheel-group
privileges. This allows any user to execute arbitrary
programs with egid=wheel. I assume it's also vulnerable to
other attacks given it doesn't totally drop root privileges,
though I didn't investigate that.

Since "defaults" is run according to the user's path,
System\ Preferences.app can be replaced with an arbitrary
program as follows:

First, make a backup of System\ Preferences.app

Create an executable file ~/bin/defaults with contents of:

=============================
#!/bin/sh                                                                       
mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents"
=============================

Then run RsyncX with ~/bin in your path:

PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX

Click on System Preferences, and is now a calculator.

2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be
user-controlled.

When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp
is insecurely used. A user can create a dir /tmp/blahdir,
then 
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp

After RsyncX scheduler is used by an admin, /etc/crontab
will become a symlink pointing to /tmp/blahdir/file.
/tmp/blahdir is controlled by the user. Issues probably also
exist with the "chown root; chmod u+s" on that file - I
haven't fully investigated that.



Workarounds:

For setuid/setgid issues, change permissions on RsyncX so
that it is only executable by admins, or not installed
setuid or setgid.

For the /tmp insecurity, don't use the RsyncX scheduler.

Versions:

RsyncX 2.1 was tested.

Developer Response:

Regarding the failure to drop gid=wheel, I was told that the
program uses Apple Security Services to control authorized
access, and that "any admin can gain root privs in OS X". I
received no response when I confirmed that it was _any_
user, not just admins.

With the /tmp insecurity, I was told that there are a few
bugs in the scheduler. 

These were reported to the developer on 8 Sept 2004.


Matt Johnston 
matt ucc.asn.au