RsyncX vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RsyncX vulnerabilities
From: Matt Johnston <matt@xxxxxxxxxx>
Date: Fri, 17 Sep 2004 17:15:28 +0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.4i

Product: RsyncX is a frontend for rsync running on OS X,
with additional features such as crontab editing.

http://www.macosxlabs.org/rsyncx/rsyncx.html

Problems:

1) RsyncX is installed setuid root and setgid wheel.

Upon execution, the program drops root privileges (only via
seteuid(getuid()) ). However it does not drop wheel-group
privileges. This allows any user to execute arbitrary
programs with egid=wheel. I assume it's also vulnerable to
other attacks given it doesn't totally drop root privileges,
though I didn't investigate that.

Since "defaults" is run according to the user's path,
System\ Preferences.app can be replaced with an arbitrary
program as follows:

First, make a backup of System\ Preferences.app

Create an executable file ~/bin/defaults with contents of:

=============================
#!/bin/sh                                                                       
mv "/Applications/System Preferences.app/Contents" "/Applications/System 
Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System 
Preferences.app/Contents"
=============================

Then run RsyncX with ~/bin in your path:

PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX

Click on System Preferences, and is now a calculator.

2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be
user-controlled.

When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp
is insecurely used. A user can create a dir /tmp/blahdir,
then 
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp

After RsyncX scheduler is used by an admin, /etc/crontab
will become a symlink pointing to /tmp/blahdir/file.
/tmp/blahdir is controlled by the user. Issues probably also
exist with the "chown root; chmod u+s" on that file - I
haven't fully investigated that.



Workarounds:

For setuid/setgid issues, change permissions on RsyncX so
that it is only executable by admins, or not installed
setuid or setgid.

For the /tmp insecurity, don't use the RsyncX scheduler.

Versions:

RsyncX 2.1 was tested.

Developer Response:

Regarding the failure to drop gid=wheel, I was told that the
program uses Apple Security Services to control authorized
access, and that "any admin can gain root privs in OS X". I
received no response when I confirmed that it was _any_
user, not just admins.

With the /tmp insecurity, I was told that there are a few
bugs in the scheduler. 

These were reported to the developer on 8 Sept 2004.


Matt Johnston 
matt ucc.asn.au

Prev by Date: Microsoft WordPerfect 5.x Converter Heap Overflow
Next by Date: [exploitwatch.org] ALERT: Windows XP JPEG Buffer Overflow POC Exploit
Previous by thread: Microsoft WordPerfect 5.x Converter Heap Overflow
Next by thread: [exploitwatch.org] ALERT: Windows XP JPEG Buffer Overflow POC Exploit
Index(es):
- Date
- Thread