[37612] in bugtraq
Re: Local root exploit on Mac OS X with Adobe Version Cue
daemon@ATHENA.MIT.EDU (Chet Ramey)
Tue Dec 7 16:39:48 2004
Date: Tue, 7 Dec 2004 14:05:14 -0500
From: Chet Ramey <chet@caleb.ins.cwru.edu>
To: fintler@gmail.com
Cc: bugtraq@securityfocus.com, chet@po.cwru.edu, llattanzi@apple.com
Reply-To: chet@po.cwru.edu
In-Reply-To: Message from fintler@gmail.com of Mon, 06 Dec 2004 21:15:32 -0500 (id <4cb4bda1041206181564784c14@mail.gmail.com>)
Message-ID: <041207190514.AA07763.SM@caleb.ins.cwru.edu>
Read-Receipt-To: chet@po.CWRU.Edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
> Local root exploit on Mac OS X 10.3.6 with Adobe products installed
> Found by Jonathan Bringhurst <fintler@gmail.com.NOSPAM>
>
> Summary:
>
> It's possible to create a suid root shell with a non-privileged user
> on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe
> Version Cue is installed by default with virtually every recent Adobe
> product. This most likely affects many versions of Mac OS X and Adobe
> Version Cue.
>
> Details:
>
> Scripts to start and stop Adobe Version Cue are suid root and do not
> make any checks to see if they are running from the correct path. By
> setting the current path to a controlled directory and creating
> scripts with specific names, a user can have a custom script run euid
> root.
This is the result of an Apple-introduced problem in bash-2.05b. Bash,
as distributed, gives up setuid privileges when invoked without the -p
option, if the kernel allows setuid scripts to run. Apple changed bash
to keep setuid if bash is invoked as `sh'.
You can solve this particular problem by removing the setuid bit from
the scripts and tightening up path checking, but it's going to be a
potential problem until Apple reconsiders their permitting setuid scripts.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet )
Live...Laugh...Love
Chet Ramey, ITS, CWRU chet@po.cwru.edu http://tiswww.tis.cwru.edu/~chet/
