-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: TruBlueEnvironment Buffer Overflow Release Date: 01/27/2004 Application: TruBlueEnvironment Platform: Mac OS X 10.3.x and 10.2.x Severity: A user with an account on the system can become root Author: Dave G. Vendor Status: Notified, Patch Issued CVE Candidate: CAN-2004-0089 TruBlueEnvironment Buffer Overflow Reference: www.atstake.com/research/advisories/2004/a012704-1.txt Overview: TruBlueEnvironment is part of the MacOS Classic Emulator. It is setuid root and installed by default. There is a buffer overflow vulnerability that allows a user with interactive access to escalate privileges to root. Details: TruBlueEnvironment takes the value of an environment variable and copies it into a buffer without performing any bounds checking. Since this buffer is stored on the stack, it is possible to overwrite the return stack frame and execute arbitrary code as root. Vendor Response: This is fixed in Security Update 2004-01-26. Further information about this update is available via: http://docs.info.apple.com/article.html?artnum=61798 Recommendation: Restrict access to the TruBlueEnvironment(*) executable, or remove it entirely if it is not being used. One approach to restricting access would be to remove global execute permissions from the TruBlueEnvironment executable, and only allow a specific group to execute the application. The following commands will restrict access to the 'admin' group: sudo chown .admin /System/Library/CoreServices/Classic\ Startup.app/Contents/Resources/TruBlueEnvironment sudo chmod 4750 /System/Library/CoreServices/Classic\ Startup.app/Contents/Resources/TruBlueEnvironment (*) Located in /System/Library/CoreServices/Classic\ Startup.app/Contents/Resources/TruBlueEnvironment Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-0089 TruBlueEnvironment Buffer Overflow @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2004 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 - not licensed for commercial use: www.pgp.com iQA/AwUBQBh7qke9kNIfAm4yEQL2dQCeMd/Dje0rfRwenO9eKdVVqw5hbTsAniz3 bVqnpAekJOKpfwL2+fFdQsAp =Be1Y -----END PGP SIGNATURE-----