RsyncX vulnerabilities
Product: RsyncX is a frontend for rsync running on OS X,
with additional features such as crontab editing.
http://www.macosxlabs.org/rsyncx/rsyncx.html
Problems:
1) RsyncX is installed setuid root and setgid wheel.
Upon execution, the program drops root privileges (only via
seteuid(getuid()) ). However it does not drop wheel-group
privileges. This allows any user to execute arbitrary
programs with egid=wheel. I assume it's also vulnerable to
other attacks given it doesn't totally drop root privileges,
though I didn't investigate that.
Since "defaults" is run according to the user's path,
System\ Preferences.app can be replaced with an arbitrary
program as follows:
First, make a backup of System\ Preferences.app
Create an executable file ~/bin/defaults with contents of:
=============================
#!/bin/sh
mv "/Applications/System Preferences.app/Contents" "/Applications/System
Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System
Preferences.app/Contents"
=============================
Then run RsyncX with ~/bin in your path:
PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX
Click on System Preferences, and is now a calculator.
2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be
user-controlled.
When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp
is insecurely used. A user can create a dir /tmp/blahdir,
then
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp
After RsyncX scheduler is used by an admin, /etc/crontab
will become a symlink pointing to /tmp/blahdir/file.
/tmp/blahdir is controlled by the user. Issues probably also
exist with the "chown root; chmod u+s" on that file - I
haven't fully investigated that.
Workarounds:
For setuid/setgid issues, change permissions on RsyncX so
that it is only executable by admins, or not installed
setuid or setgid.
For the /tmp insecurity, don't use the RsyncX scheduler.
Versions:
RsyncX 2.1 was tested.
Developer Response:
Regarding the failure to drop gid=wheel, I was told that the
program uses Apple Security Services to control authorized
access, and that "any admin can gain root privs in OS X". I
received no response when I confirmed that it was _any_
user, not just admins.
With the /tmp insecurity, I was told that there are a few
bugs in the scheduler.
These were reported to the developer on 8 Sept 2004.
Matt Johnston
matt ucc.asn.au