Re: Local root exploit on Mac OS X with Adobe Version Cue

To: fintler@xxxxxxxxx
Subject: Re: Local root exploit on Mac OS X with Adobe Version Cue
From: Chet Ramey <chet@xxxxxxxxxxxxxxxxxx>
Date: Tue, 7 Dec 2004 14:05:14 -0500
Cc: bugtraq@xxxxxxxxxxxxxxxxx, chet@xxxxxxxxxxx, llattanzi@xxxxxxxxx
In-reply-to: Message from fintler@xxxxxxxxx of Mon, 06 Dec 2004 21:15:32 -0500 (id <4cb4bda1041206181564784c14@xxxxxxxxxxxxxx>)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Read-receipt-to: chet@xxxxxxxxxxx
References: <4cb4bda104120617526953ce8a@xxxxxxxxxxxxxx> <4cb4bda1041206181564784c14@xxxxxxxxxxxxxx>
Reply-to: chet@xxxxxxxxxxx

> Local root exploit on Mac OS X 10.3.6 with Adobe products installed
> Found by Jonathan Bringhurst <fintler@xxxxxxxxxxxxxxxx>
> 
> Summary:
> 
> It's possible to create a suid root shell with a non-privileged user
> on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe
> Version Cue is installed by default with virtually every recent Adobe
> product. This most likely affects many versions of Mac OS X and Adobe
> Version Cue.
> 
> Details:
> 
> Scripts to start and stop Adobe Version Cue are suid root and do not
> make any checks to see if they are running from the correct path. By
> setting the current path to a controlled directory and creating
> scripts with specific names, a user can have a custom script run euid
> root.

This is the result of an Apple-introduced problem in bash-2.05b.  Bash,
as distributed, gives up setuid privileges when invoked without the -p
option, if the kernel allows setuid scripts to run.  Apple changed bash
to keep setuid if bash is invoked as `sh'.

You can solve this particular problem by removing the setuid bit from
the scripts and tightening up path checking, but it's going to be a
potential problem until Apple reconsiders their permitting setuid scripts.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet )
                                                Live...Laugh...Love
Chet Ramey, ITS, CWRU    chet@xxxxxxxxxxx    http://tiswww.tis.cwru.edu/~chet/

References:
- Local root exploit on Mac OS X with Adobe Version Cue
  - From: fintler

Prev by Date: MD5 To Be Considered Harmful Someday
Next by Date: Bypass personal firewall application protection . Again.
Previous by thread: Local root exploit on Mac OS X with Adobe Version Cue
Next by thread: MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service
Index(es):
- Date
- Thread