image
image

Go Back   macosx.com > Mac Help Forums > Mac OS X System & Mac Software

Reply
 
Thread Tools
  #1  
Old September 14th, 2002, 06:44 PM
profx's Avatar
ill never 4get watsisname
 
Join Date: May 2001
Location: Auckland New Zealand
Posts: 386
Thanks: 0
Thanked 0 Times in 0 Posts
profx is on a distinguished road
Question severe security issue with Mac OS X 10.2

This is an email that was forwarded to me:

There is a severe security issue with Mac OS X 10.2 Jaguar, which allows
any user of the system to navigate through the entire filesystem, and
possibly overwrite any file. The security issue lies within the "NetInfo
Manager" application, which is setuid root. Whenever an user runs this
application, the entire appliation is running as root.

Therefore, if the user runs "NetInfo Manager" and chooses to print the
window content by choosing "Domain: Print", the Print dialog is running
as root? By choosing to "Save as PDF", the associated file manager
window is itself running as root, thus allowing the user to navigate all
files on the connected hard disks. Moreover, by creating a filesystem
link to any file of the filesystem, calling the link "dummy.pdf", and
then saving the PDF over this link, the user is then allowed to
overwrite the contents of any file of the filesystem, including system
files or files owned by other users on the system.

Although this security hole cannot be used to gain priviledged status
with a clean install of Jaguar, it might be possible for a malicious
user to install a custom Print Driver of his choosing, which could, for
exemple, run a copy of Terminal.app as root, thus allowing the attacker
to gain root access.

A similar security issue has already been discovered a few month ago,
where running "NetInfo Manager" allowed any user to become root while
choosing a program from the Apple menu. Setuid applications have severe
security implications, this should not been forgotten.

Also, note that from all the programs shipped with Jaguar which are
setuid root, NetInfo Manager is the only program which does not "drop
priviledges".

I am hoping that a security fix will be available as soon as possible.
For the good of the community, I am not going to divulge this security
issue for a reasonable period of time or until you provide a fix or
publish a technical note about it, whichever comes first. Do not
hesitate to contact me should you need more information about this
problem,

E-Secure-IT Administrator
http://www.e-secure-it.co.nz
__________________
| PowerBook G4 550 - 10.4 - 512Mb - 20Gb | 30Gb iPod Photo | 40x12x48 Fantom Drives CDRW (firewire) | Logitech Cordless Mouse MX700 | xBox with XBMC for movies and music in the lounge
Reply With Quote
  #2  
Old September 14th, 2002, 07:55 PM
Captain Code's Avatar
Moderator
 
Join Date: Aug 2001
Location: Ontario, Canada
Posts: 3,107
Thanks: 0
Thanked 0 Times in 0 Posts
Captain Code will become famous soon enough
I don't believe this is true. Apple fixed this AFAIK, in 10.1 or earlier.

Originally Netinfo Manager ran as root, but I don't believe it does now.
__________________
MacBook Pro 2.16GHz Core2Duo 3GB RAM, G4 1.4GHz OSX Tiger 1.25GB RAM, Dual 2GHz G5 OSX Tiger 2GB RAM (freakin shweet)
Athlon 64 Windoze XP for school work (programming) 1GB RAM
dferns@macosx.com
Reply With Quote
  #3  
Old September 14th, 2002, 09:14 PM
davidbrit2's Avatar
Licensed Computer Geek
 
Join Date: Sep 2000
Location: Michigan, USA
Posts: 787
Thanks: 0
Thanked 0 Times in 0 Posts
davidbrit2 is on a distinguished road
Ooh, that's kinda freaky...

Code:
[NetInfo Manager.app/Contents/MacOS] dave% ls -l
total 176
-rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager
[NetInfo Manager.app/Contents/MacOS] dave%
This is with a clean 10.2 install, and Repair Permissions done this morning. Shudder...

Still, when NetInfo Manager invokes the printing components, do those get launched as root, too? Or do they come up under the proper user? I'll have to do some research with ps -auxw, I think...
__________________
You can have my iBook when you pry it from my cold, dead fingers.
iBook - The computer of choice for the enlightened CS major. Come on Apple, let me do a commercial. ;-)
"An alloc a day keeps the DRAM away!"
Reply With Quote
  #4  
Old September 14th, 2002, 10:48 PM
genghiscohen's Avatar
Membrum virile
 
Join Date: Sep 2001
Location: Sea of Tranquility
Posts: 805
Thanks: 0
Thanked 0 Times in 0 Posts
genghiscohen is on a distinguished road
Those permissions are the same as for anything that requires admin authentication. "Any user" can't do squat, as per the "r-x" in the third permission area.
Sure, there are security issues with OS X, but primarily only if you have physical access to the machine (unlike Windows).
__________________
--
"No left turn unstoned."
(PowerBook 15" 1.5 GHz/80/1.5 GB, eMac 1 GHz/80/768 MB, SuperDrive, 250 GB FireWire HD, Lexmark Z65 printer, Epson Perfection 1200U scanner)
Reply With Quote
  #5  
Old September 15th, 2002, 02:06 AM
Registered User
 
Join Date: Jan 2002
Posts: 358
Thanks: 0
Thanked 1 Time in 1 Post
JeffCGD is on a distinguished road
Exclamation Holy hell. Running as root.

Dammnit. Netinfo is running as root.
Not good.
__________________
Hardware Specs: Mac Mini 1.42GHz w/512MB RAM & Combo drive running Mac OSX 10.4.11 Tiger. 21" Dell (Trinitron) Monitor. Logitech MX610 2.4GHz wireless laser mouse. Powered USB 1.1 4 port hub.
Reply With Quote
  #6  
Old September 15th, 2002, 02:37 AM
Krevinek's Avatar
Evil PPC Tweaker
 
Join Date: Oct 2001
Posts: 645
Thanks: 0
Thanked 0 Times in 0 Posts
Krevinek will become famous soon enough
Ah holy hell, the entire Utilities folder is owned by root! My terminal app is vulnerable! My system is insecure!
</sarcasm>

This e-mail is a hoax. This e-mail is a fraud, and just trying to scare the crud out of someone who doesn't know any better.

When you execute a program, it is run with YOUR permissions, no matter who owns it. So if your user name is 'foo' and root owns NetInfo, when you launch the app, it is run by 'foo', with 'foo's permissions. Now, the moment I authenticate the program by giving it an admin username+password, it DOES get run by 'root' and has root's permission. This is no different from using 'sudo' from the terminal.

Software Update, MindVision, etc... can all run as root if they ask for an admin password. When you installed MSN Messenger 3.0, the installer was running as root after you gave it a password. This is no hole, it is how things work. To get permissions to do certain things, you need to ask for an admin username and password. Once that is done, you get permissions.

People CANNOT run NetInfo as root without authenticating the app (the little lock button) and giving an admin's username and password. If you don't want them to be able to alter your NetInfo settings, or your System preferences, don't give them an admin account. Simple as that.

Any questions?
__________________
iMac G5 2.0Ghz (10.4.x, Main System)
MacBook 1.83Ghz (...Feburary)
"Sometimes I drive to run from all my demons \ Sometimes I drive so I can be alone \ Sometimes I drive to see the world in different light \ Sometimes I drive for no reason at all" - Assemblage 23, Drive
Reply With Quote
  #7  
Old September 15th, 2002, 08:47 AM
davidbrit2's Avatar
Licensed Computer Geek
 
Join Date: Sep 2000
Location: Michigan, USA
Posts: 787
Thanks: 0
Thanked 0 Times in 0 Posts
davidbrit2 is on a distinguished road
Yes, most applications are owned by root, but there's a small detail you've overlooked...

Terminal:
Code:
[Terminal.app/Contents/MacOS] dave% ls -l
total 292
-rwxrwxr-x    1 root     admin      295136 Sep  8 17:13 Terminal
NetInfo Manager:
Code:
[NetInfo Manager.app/Contents/MacOS] dave% ls -l
total 176
-rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager
Compare the permissions carefully:
-rwxrwxr-x Terminal
-rwsrwxr-x NetInfo Manager

Notice how the owner execute permission for NetInfo Manager is 's' rather than the customary x? That means the setuid bit is on. The setuid bit causes the executable to be launched AS the owner. This is actually pretty common in UNIX. Even the ps command does this. It's just a little creepy to see an application as versatile as NetInfo Manager being launched in god mode. One small security hole in that big application, and the entire system could be vulnerable.
__________________
You can have my iBook when you pry it from my cold, dead fingers.
iBook - The computer of choice for the enlightened CS major. Come on Apple, let me do a commercial. ;-)
"An alloc a day keeps the DRAM away!"
Reply With Quote
  #8  
Old September 15th, 2002, 12:32 PM
Krevinek's Avatar
Evil PPC Tweaker
 
Join Date: Oct 2001
Posts: 645
Thanks: 0
Thanked 0 Times in 0 Posts
Krevinek will become famous soon enough
Hmm... that *IS* rather unusual, but since I don't have Jag installed, I haven't encountered it in person yet. However, I don't see what is stopping people from changing the setuid permission into a regular execute permission and letting the app run like normal. It still authenticates, right?

Still, it is hard to determine how this could be exploited... install a custom printer driver? HA! You have to authenticate for that, as it isn't handled directly by Print Center, but rather by Installer.

Anyone actually see a possible hole here other than the potential for overwritten data?
__________________
iMac G5 2.0Ghz (10.4.x, Main System)
MacBook 1.83Ghz (...Feburary)
"Sometimes I drive to run from all my demons \ Sometimes I drive so I can be alone \ Sometimes I drive to see the world in different light \ Sometimes I drive for no reason at all" - Assemblage 23, Drive

Last edited by Krevinek; September 15th, 2002 at 12:42 PM.
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A bit of nostalgia: A Salute to Mac OS X simX Apple News, Rumors & Discussion 31 March 24th, 2005 06:45 AM
HP Photosmart 1315 and USB Print Sharing zwheeloc Mac Classic System & Software 12 February 6th, 2003 08:20 PM
apps list Mac Osxtopus Mac OS X System & Mac Software 7 May 29th, 2002 11:31 AM
Apple: Forget XP, try the Mac tagliatelle Bob's Place 1 November 25th, 2001 06:12 AM
Netscape 6.1 Profile Transfer from Mac OS 9.2.1 to Mac OS X chemistry_geek Apple News, Rumors & Discussion 0 October 12th, 2001 05:42 PM


All times are GMT -5. The time now is 05:56 AM.


Mac Support® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.1.0
Copyright 2000-2008 DigitalCrowd, Inc.