what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

sdf1-apple.txt

sdf1-apple.txt
Posted Mar 15, 2005
Authored by Ray Slakinski

Apple ships XCode 1.5 with a feature for distributed compiling that ships with distcc, a Samba module that is susceptible to known exploits allowing for full user access to the target machine.

tags | advisory
systems | apple
SHA-256 | eceae8836e927c9decfd2d91544916148c6c6233db47ee50f8252e1caf55601f

sdf1-apple.txt

Change Mirror Download


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

SDF1 Networks
Security Advisory: Apple XCode and distcc
March 10, 2005

Outline:

Vendor: Apple, Samba
Programs: XCode and distcc
Type: Remote
Severity: High
Version: XCode 1.5, distcc 2.x

Overview:

Apple ships XCode 1.5 with a feature for distributed compiling. This
feature actually uses the Samba distcc module (http://
distcc.samba.org). There are known exploits for distccd which will
enable a remote person full user level access to the target machine.

XCode ships with version 2.0.1 of distcc. We also tried updating to
2.18.3 and had similar issues with that version as well.
Apple was not contacted prior to this release because the exploit for
distccd is already known and in the wild. Users of the distributed
compiling system in XCode should disable this feature until both Apple
and Samba can take proper action to protect its users.

Exploit:

There are a few known exploits for distcc. By using a common method
provided by metasploit (http://metasploit.com/projects/Framework/
exploits.html#distcc_exec), I was given full access to the remote users
home folder via telnet.

Proposed Solution:

Samba needs to work on proper directory jailing and remote code
execution with their distcc product. Apple needs to at least ship with
the latest version of distcc, which supports an Allow List of people that
are allowed to connect to the distcc daemon. This would minimize the
damage caused by running this service on a machine.

Credits:

Exploit was discovered by Ray Slakinski (rays AT sdf1.net)
Tested and Verified by Jason McLeod (jason AT sdf1.net)

This document and follow up information can be found at http://
dev.sdf1.net/archives/003082.html
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAwAGBQJCMIHYAAoJEPYpbvru9KvVylYH/
0s3tL5fOq00VKrL4a438+gZ
eOUZI7b/
+Z6wQuu41KYQJzdLZ5cpwiTaQyFFjCHMJ3q7zMPqXpebMU5Isb5FQxHU
Q0X2DRZ85DWySew9Esu8z1K8DctxxgjBLB83ffC7fezsXrx/
Fy9Go5JIPaSiqUdu
Zk8eLGhmKIZJWJ2nv8LzXmh9bwA3CWC8R4TjgaM8vIC9/
2syiJM1F7M9lFB3868h
Hp3q7FNCSBVVcgcKdN2RTUBSNncKykD4oXUYv3aFYt2G1N/1YfrO7/
OvOgUbNol+
+zVrMpEZxN2I3eJbg6nPjF3WkiD0OfbTs+CE9BbVv0bjZFY8UIG3HZgthu
8t6+g=
=MO8T
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close