Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Macintosh :: a6147.htm

DirectoryService privilege escalation and DoS attack



14th Apr 2003 [SBWID-6147]
COMMAND

	DirectoryService privilege escalation and DoS attack

SYSTEMS AFFECTED

	MacOS X (10.2.4 and below)

PROBLEM

	In @stake advistory a041003-1 [http://www.atstake.com],  Dave  G.  found
	following:
	
	 Overview
	 ========
	
	DirectoryServices is part of the MacOS X information and  authentication
	subsystem. It is launched at  startup,  setuid  root  and  installed  by
	default. It is vulnerable  to  several  attacks  ultimately  allowing  a
	local user to obtain root privileges.
	       
	
	 Details
	 =======
	
	During the startup of DirectoryService, the application creates  a  lock
	file by executing the touch(1) UNIX command. It executes  touch  through
	the system() libc function. This function  is  inherently  insecure  and
	its use is strongly discouraged in privileged applications.
	
	Since this call to  system()  does  not  specify  a  full  path  to  the
	touch(1) command, it is possible for an  attacker  to  modify  the  PATH
	environment variable to specify a directory containing her  own  version
	of  the  touch(1)  command.  In  this   instance,   this   would   cause
	DirectoryService to execute arbitrary commands as root.
	
	In order for an attacker to exploit this vulnerability, they must  first
	cause DirectoryServices  to  terminate.  This  can  be  done  by  simply
	connecting to port 625 repeatedly using an automated program.
	
	

SOLUTION

	 Vendor Response
	 ===============
	
	Directory  Services:  Fixes  CAN-2003-0171  DirectoryServices  Privilege
	Escalation and DoS Attack. DirectoryService is part of the Mac OS X  and
	Mac OS X Server  information  services  subsystem.  It  is  launched  at
	startup, setuid root and installed by default.  It  is  possible  for  a
	local attacker to modify an environment variable that  would  allow  the
	execution of arbitrary commands as root. Credit to Dave G. from  @stake,
	Inc. for the discovery of this vulnerability.
	
	
	 @stake Recommendation
	 =====================
	
	@stake recommends that user upgrade to Mac OS X 10.2.5.
	
	
	 Common Vulnerabilities and Exposures (CVE) Information
	 ======================================================
	
	The Common Vulnerabilities and Exposures (CVE) project has assigned  the
	following names to these issues. These are candidates for  inclusion  in
	the  CVE  list  (http://cve.mitre.org),  which  standardizes  names  for
	security problems.
	
	
	  CAN-2003-0171  Directory Services Privilege Escalation and DoS
	                 Attack
	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH