severe security issue with Mac OS X 10.2

[profx]

This is an email that was forwarded to me:

There is a severe security issue with Mac OS X 10.2 Jaguar, which allows
any user of the system to navigate through the entire filesystem, and
possibly overwrite any file. The security issue lies within the "NetInfo
Manager" application, which is setuid root. Whenever an user runs this
application, the entire appliation is running as root.

Therefore, if the user runs "NetInfo Manager" and chooses to print the
window content by choosing "Domain: Print", the Print dialog is running
as root? By choosing to "Save as PDF", the associated file manager
window is itself running as root, thus allowing the user to navigate all
files on the connected hard disks. Moreover, by creating a filesystem
link to any file of the filesystem, calling the link "dummy.pdf", and
then saving the PDF over this link, the user is then allowed to
overwrite the contents of any file of the filesystem, including system
files or files owned by other users on the system.

Although this security hole cannot be used to gain priviledged status
with a clean install of Jaguar, it might be possible for a malicious
user to install a custom Print Driver of his choosing, which could, for
exemple, run a copy of Terminal.app as root, thus allowing the attacker
to gain root access.

A similar security issue has already been discovered a few month ago,
where running "NetInfo Manager" allowed any user to become root while
choosing a program from the Apple menu. Setuid applications have severe
security implications, this should not been forgotten.

Also, note that from all the programs shipped with Jaguar which are
setuid root, NetInfo Manager is the only program which does not "drop
priviledges".

I am hoping that a security fix will be available as soon as possible.
For the good of the community, I am not going to divulge this security
issue for a reasonable period of time or until you provide a fix or
publish a technical note about it, whichever comes first. Do not
hesitate to contact me should you need more information about this
problem,

E-Secure-IT Administrator
http://www.e-secure-it.co.nz

[Captain Code]

I don't believe this is true. Apple fixed this AFAIK, in 10.1 or earlier.

Originally Netinfo Manager ran as root, but I don't believe it does now.

[davidbrit2]

Ooh, that's kinda freaky...

Code:

[NetInfo Manager.app/Contents/MacOS] dave% ls -l
total 176
-rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager
[NetInfo Manager.app/Contents/MacOS] dave%

This is with a clean 10.2 install, and Repair Permissions done this morning. Shudder...

Still, when NetInfo Manager invokes the printing components, do those get launched as root, too? Or do they come up under the proper user? I'll have to do some research with ps -auxw, I think...

[genghiscohen]

Those permissions are the same as for anything that requires admin authentication. "Any user" can't do squat, as per the "r-x" in the third permission area.
Sure, there are security issues with OS X, but primarily only if you have physical access to the machine (unlike Windows).

[JeffCGD]

Dammnit. Netinfo is running as root.
Not good.

[Krevinek]

Ah holy hell, the entire Utilities folder is owned by root! My terminal app is vulnerable! My system is insecure!
</sarcasm>

This e-mail is a hoax. This e-mail is a fraud, and just trying to scare the crud out of someone who doesn't know any better.

When you execute a program, it is run with YOUR permissions, no matter who owns it. So if your user name is 'foo' and root owns NetInfo, when you launch the app, it is run by 'foo', with 'foo's permissions. Now, the moment I authenticate the program by giving it an admin username+password, it DOES get run by 'root' and has root's permission. This is no different from using 'sudo' from the terminal.

Software Update, MindVision, etc... can all run as root if they ask for an admin password. When you installed MSN Messenger 3.0, the installer was running as root after you gave it a password. This is no hole, it is how things work. To get permissions to do certain things, you need to ask for an admin username and password. Once that is done, you get permissions.

People CANNOT run NetInfo as root without authenticating the app (the little lock button) and giving an admin's username and password. If you don't want them to be able to alter your NetInfo settings, or your System preferences, don't give them an admin account. Simple as that.

Any questions?

[davidbrit2]

Yes, most applications are owned by root, but there's a small detail you've overlooked...

Terminal:

Code:

[Terminal.app/Contents/MacOS] dave% ls -l
total 292
-rwxrwxr-x    1 root     admin      295136 Sep  8 17:13 Terminal

NetInfo Manager:

Code:

[NetInfo Manager.app/Contents/MacOS] dave% ls -l
total 176
-rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager

Compare the permissions carefully:
-rwxrwxr-x Terminal
-rwsrwxr-x NetInfo Manager

Notice how the owner execute permission for NetInfo Manager is 's' rather than the customary x? That means the setuid bit is on. The setuid bit causes the executable to be launched AS the owner. This is actually pretty common in UNIX. Even the ps command does this. It's just a little creepy to see an application as versatile as NetInfo Manager being launched in god mode. One small security hole in that big application, and the entire system could be vulnerable.

[Krevinek]

Hmm... that *IS* rather unusual, but since I don't have Jag installed, I haven't encountered it in person yet. However, I don't see what is stopping people from changing the setuid permission into a regular execute permission and letting the app run like normal. It still authenticates, right?

Still, it is hard to determine how this could be exploited... install a custom printer driver? HA! You have to authenticate for that, as it isn't handled directly by Print Center, but rather by Installer.

Anyone actually see a possible hole here other than the potential for overwritten data?