[38681] in bugtraq
Mac OS X Cocktail 3.5.4 admin password disclosure
daemon@ATHENA.MIT.EDU (sonderling)
Fri Apr 29 17:14:54 2005
Message-Id: <200504291848.j3TImI4D086337@mailserver3.hushmail.com>
Date: Fri, 29 Apr 2005 11:48:15 -0700
To: <bugtraq@securityfocus.com>
Cc:
From: "sonderling" <sonderling@hushmail.com>
Application: Mac OS X Cocktail
Version: 3.5.4 and probably below
URL: www.macosxcocktail.com
Vulnerability: admin password disclosure
=======================================================
Vendor's description:
"Cocktail is a general purpose utility for Mac OS X. The
application serves up a scrumptious mix of maintenance tools
and interface tweaks, all accessible via a comprehensive
graphical interface and toolset. It is a smooth and powerful
utility that simplifies the use of advanced UNIX functions."
The problem:
Since Cocktail needs administrative privileges the user is
prompted for the admin password upon startup. The actual
maintenance is done by command line utilities that are executed
in an insecure manner: Cocktail creates a new process and
lets /bin/sh pipe the admin password using echo into sudo,
which then will execute the utility, like this:
sh -c echo 'PASSWORD' | sudo -p "" -S sudo update_prebinding -root /
Exploitation:
Knowing Cocktail is waiting for some Unix utility to have finished
its work, just execute "ps ax" on the terminal and search for
the password.
The vendor has been contacted; the new version 3.6 for
Mac OS X "Tiger" should have been fixed. I haven't tested
this version, though.
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
