<<< Date Index >>>     <<< Thread Index >>>

Mac OS X Systemic Insecure File Permissions




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                               @stake, Inc.
                             www.atstake.com

                            Security Advisory

Advisory Name: Systemic Insecure File Permissions
Release Date: 10/28/2003
 Application: Finder (Many)
    Platform: Mac OS X 10.2.8 and below
    Severity: High
      Author: Dave G. <daveg@xxxxxxxxxxx>
Vendor Status: Vendor has new release with fix
CVE Candidate: CAN-2003-0876
   Reference: www.atstake.com/research/advisories/2003/a102803-1.txt


Overview:

Many applications are installed onto Mac OS X systems with insecure
file permissions.  This is due to two distinct classes of problems:

    1) a security issue regarding DMG files managed by Mac OS X
    2) insecure file permissions packaged by different vendors

The result is that many of the files and directories that compose
various applications are globally writable.  This allows attackers
with filesystem access to an OS X machine can replace binaries and
obtain additional privileges from unsuspecting users, who may run
the replaced version of the binary.

Issue #1: DMG File Permissions
Mac OS X will reset permissions on directories dragged off of a DMG
to global read/write/execute when they are dragged off of the disk
image.  It will exhibits the same behavior when dragging folders onto
a mounted DMG.  This resetting does not appear to occur on files,
only directories.  Since these directories contain application
binaries, attackers with interactive access to a Mac OS X system can
overwrite many applications with trojan binaries.  These trojan
binaries would escalate the privileges of the attacker to the
privileges of the unsuspecting user who ran them.
Issue #2: Incorrect Vendor-Specified File Permissions

Many Mac OS X vendors, both large and small, package and ship
applications with insecure file permissions.  World writable files
have included:

  1) Application and support executables
  2) Directories
  3) Shared objects
  4) Configuration files
  5) HTML and Javascript

Typically, these files have existed within the following directories
(but not exclusively):

  1) /Applications
  2) /Library/Application Support
  3) /Library/StartupItems

The number of vendors affected by this is large, and individual
applications affected are not provided within this advisory.  However,
the recommendations section provides a UNIX command that can be used
to identify insecure file permissions.


Vendor Response:

This is fixed in Mac OS X 10.3 where Finder will preserve the
permissions on copied folders. For any existing folders, it is
possible to manually change the permissions to the desired setting
through the Get Info command in the File menu of the Finder, then
modifying the "Ownership & Permissions" settings for the selected
folder or file. Disk Utility, found in  /Applications/Utilities is
also helpful in setting system-wide folder permissions via the
"Repair Disk Permissions" button.

For further information on Mac OS X 10.3, please see
http://www.apple.com/macosx/


Recommendations:

1) Review the file and directory permissions in the following
  directories: /Applications, /Library/Application Support and
  /Library/StartupItems.

While it may make sense to remove global write permissions on all
directories in /Applications, this may break the functionality of
certain applications.  To attempt this, execute the following
command from within Terminal.app:

find /Applications -type d -exec chmod o-w {} \;
Warning: this command may break certain applications.

2) Upgrade to Panther (Mac OS X 10.3).
3) When installing applications, use the UNIX cp(1) command.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues.  These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

 CAN-2003-0876 Systemic Insecure File Permissions


@stake Vulnerability Reporting Policy:
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

@stake is currently seeking application security experts to fill
several consulting positions.  Applicants should have strong
application development skills and be able to perform application
security design reviews, code reviews, and application penetration
testing.  Please send resumes to jobs@xxxxxxxxxxxx

Copyright 2003 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP56reUe9kNIfAm4yEQJO4gCfR32kJ/c7B4RkVqmmuEbi3HypWtYAoMNv
y0KO2X6Q/h2vtw96FoSY+3Ys
=iHU+
-----END PGP SIGNATURE-----