From advisories@atstake.com Fri Apr 11 00:22:01 2003 From: "@stake Advisories" To: vulnwatch@vulnwatch.org Date: Thu, 10 Apr 2003 16:49:17 -0400 Subject: [VulnWatch] MacOS X DirectoryService Privilege Escalation (a041003-1) [ The following text is in the "ISO-8859-1" character set. ] [ Your display is set for the "US-ASCII" character set. ] [ Some characters may be displayed incorrectly. ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: MacOS X DirectoryService Privilege Escalation and DoS Attack Release Date: 04/10/2003 Application: /usr/sbin/DirectoryService Platform: MacOS X (10.2.4 and below) Severity: Local users can gain root privileges Remote users may be able to crash DirectoryService Author: Dave G. Vendor Status: Notified, Patch Available CVE Candidate: CAN-2003-0171 Reference: www.atstake.com/research/advisories/2003/a041003-1.txt Overview: DirectoryServices is part of the MacOS X information and authentication subsystem. It is launched at startup, setuid root and installed by default. It is vulnerable to several attacks ultimately allowing a local user to obtain root privileges. Details: During the startup of DirectoryService, the application creates a lock file by executing the touch(1) UNIX command. It executes touch through the system() libc function. This function is inherently insecure and its use is strongly discouraged in privileged applications. Since this call to system() does not specify a full path to the touch(1) command, it is possible for an attacker to modify the PATH environment variable to specify a directory containing her own version of the touch(1) command. In this instance, this would cause DirectoryService to execute arbitrary commands as root. In order for an attacker to exploit this vulnerability, they must first cause DirectoryServices to terminate. This can be done by simply connecting to port 625 repeatedly using an automated program. Timeline: 03/25/2003 Apple notified via email. 03/28/2003 Apple verified. 04/10/2003 Coordinated release. Vendor Response: Directory Services: Fixes CAN-2003-0171 DirectoryServices Privilege Escalation and DoS Attack. DirectoryService is part of the Mac OS X and Mac OS X Server information services subsystem. It is launched at startup, setuid root and installed by default. It is possible for a local attacker to modify an environment variable that would allow the execution of arbitrary commands as root. Credit to Dave G. from @stake, Inc. for the discovery of this vulnerability. @stake Recommendation: @stake recommends that user upgrade to Mac OS X 10.2.5. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2003-0171 Directory Services Privilege Escalation and DoS Attack @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc @stake is currently seeking application security experts to fill several consulting positions. Applicants should have strong application development skills and be able to perform application security design reviews, code reviews, and application penetration testing. Please send resumes to jobs@atstake.com. Copyright 2003 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpXYnUe9kNIfAm4yEQKfvgCfdz/zWZNmw0tzZMjeS2/x3D9bGXEAoKv6 NbFuweVUSzwEJRMUIwodX+9g =gfqg -----END PGP SIGNATURE-----