XCode 1.5 and distcc 2.x Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: XCode 1.5 and distcc 2.x Exploit
From: Ray Slakinski <ray@xxxxxxxx>
Date: 10 Mar 2005 17:13:04 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

SDF1 Networks
Security Advisory: Apple XCode and distcc
March 10, 2005

Outline:

Vendor:       Apple, Samba
Programs:     XCode and distcc
Type:         Remote
Severity:     High
Version:      XCode 1.5, distcc 2.x

Overview:

Apple ships XCode 1.5 with a feature for distributed compiling.  This 
feature actually uses the Samba distcc module (http://
distcc.samba.org). There are known exploits for distccd which will 
enable a remote person full user level access to the target machine.

XCode ships with version 2.0.1 of distcc. We also tried updating to 
2.18.3 and had similar issues with that version as well.
Apple was not contacted prior to this release because the exploit for 
distccd is already known and in the wild.  Users of the distributed 
compiling system in XCode should disable this feature until both Apple 
and Samba can take proper action to protect its users.

Exploit:

There are a few known exploits for distcc. By using a common method 
provided by metasploit (http://metasploit.com/projects/Framework/
exploits.html#distcc_exec), I was given full access to the remote users 
home folder via telnet.

Proposed Solution:

Samba needs to work on proper directory jailing and remote code 
execution with their distcc product.  Apple needs to at least ship with 
the latest version of distcc, which supports an Allow List of people that 
are allowed to connect to the distcc daemon. This would minimize the 
damage caused by running this service on a machine.

Credits:

Exploit was discovered by Ray Slakinski (rays AT sdf1.net)
Tested and Verified by Jason McLeod (jason AT sdf1.net)

This document and follow up information can be found at http://
dev.sdf1.net/archives/003082.html
-----BEGIN PGP SIGNATURE-----

iQEcBAEBAwAGBQJCMIHYAAoJEPYpbvru9KvVylYH/
0s3tL5fOq00VKrL4a438+gZ
eOUZI7b/
+Z6wQuu41KYQJzdLZ5cpwiTaQyFFjCHMJ3q7zMPqXpebMU5Isb5FQxHU
Q0X2DRZ85DWySew9Esu8z1K8DctxxgjBLB83ffC7fezsXrx/
Fy9Go5JIPaSiqUdu
Zk8eLGhmKIZJWJ2nv8LzXmh9bwA3CWC8R4TjgaM8vIC9/
2syiJM1F7M9lFB3868h
Hp3q7FNCSBVVcgcKdN2RTUBSNncKykD4oXUYv3aFYt2G1N/1YfrO7/
OvOgUbNol+
+zVrMpEZxN2I3eJbg6nPjF3WkiD0OfbTs+CE9BbVv0bjZFY8UIG3HZgthu
8t6+g=
=MO8T
-----END PGP SIGNATURE-----

Prev by Date: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
Next by Date: iDEFENSE Security Advisory 03.10.05: Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow Vulnerability
Previous by thread: Re: Multiple AV Vendor Incorrect CRC32 Bypass Vulnerability.
Next by thread: iDEFENSE Security Advisory 03.10.05: Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow Vulnerability
Index(es):
- Date
- Thread