Follow us on...
Follow us on Twitter Follow us on Facebook
Register
Page 1 of 2 12 LastLast
Results 1 to 8 of 16
  1. #1
    profx's Avatar
    profx is offline ill never 4get watsisname
    Join Date
    May 2001
    Location
    Auckland New Zealand
    Posts
    386
    Thanks
    0
    Thanked 1 Time in 1 Post

    Question severe security issue with Mac OS X 10.2

    This is an email that was forwarded to me:

    There is a severe security issue with Mac OS X 10.2 Jaguar, which allows
    any user of the system to navigate through the entire filesystem, and
    possibly overwrite any file. The security issue lies within the "NetInfo
    Manager" application, which is setuid root. Whenever an user runs this
    application, the entire appliation is running as root.

    Therefore, if the user runs "NetInfo Manager" and chooses to print the
    window content by choosing "Domain: Print", the Print dialog is running
    as root? By choosing to "Save as PDF", the associated file manager
    window is itself running as root, thus allowing the user to navigate all
    files on the connected hard disks. Moreover, by creating a filesystem
    link to any file of the filesystem, calling the link "dummy.pdf", and
    then saving the PDF over this link, the user is then allowed to
    overwrite the contents of any file of the filesystem, including system
    files or files owned by other users on the system.

    Although this security hole cannot be used to gain priviledged status
    with a clean install of Jaguar, it might be possible for a malicious
    user to install a custom Print Driver of his choosing, which could, for
    exemple, run a copy of Terminal.app as root, thus allowing the attacker
    to gain root access.

    A similar security issue has already been discovered a few month ago,
    where running "NetInfo Manager" allowed any user to become root while
    choosing a program from the Apple menu. Setuid applications have severe
    security implications, this should not been forgotten.

    Also, note that from all the programs shipped with Jaguar which are
    setuid root, NetInfo Manager is the only program which does not "drop
    priviledges".

    I am hoping that a security fix will be available as soon as possible.
    For the good of the community, I am not going to divulge this security
    issue for a reasonable period of time or until you provide a fix or
    publish a technical note about it, whichever comes first. Do not
    hesitate to contact me should you need more information about this
    problem,

    E-Secure-IT Administrator
    http://www.e-secure-it.co.nz
    | PowerBook G4 550 - 10.4 - 512Mb - 20Gb | 30Gb iPod Photo | 40x12x48 Fantom Drives CDRW (firewire) | Logitech Cordless Mouse MX700 | xBox with XBMC for movies and music in the lounge

  2. #2
    Captain Code's Avatar
    Captain Code is offline Moderator
    Join Date
    Aug 2001
    Location
    Ontario, Canada
    Posts
    3,120
    Thanks
    0
    Thanked 17 Times in 2 Posts
    I don't believe this is true. Apple fixed this AFAIK, in 10.1 or earlier.

    Originally Netinfo Manager ran as root, but I don't believe it does now.
    MacBook Pro 2.16GHz Core2Duo 3GB RAM, G4 1.4GHz OSX Tiger 1.25GB RAM, Dual 2GHz G5 OSX Tiger 2GB RAM (freakin shweet)
    Athlon 64 Windoze XP for school work (programming) 1GB RAM
    dferns@macosx.com

  3. #3
    davidbrit2's Avatar
    davidbrit2 is offline Licensed Computer Geek
    Join Date
    Sep 2000
    Location
    Michigan, USA
    Posts
    787
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ooh, that's kinda freaky...

    Code:
    [NetInfo Manager.app/Contents/MacOS] dave% ls -l
    total 176
    -rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager
    [NetInfo Manager.app/Contents/MacOS] dave%
    This is with a clean 10.2 install, and Repair Permissions done this morning. Shudder...

    Still, when NetInfo Manager invokes the printing components, do those get launched as root, too? Or do they come up under the proper user? I'll have to do some research with ps -auxw, I think...
    You can have my iBook when you pry it from my cold, dead fingers.
    iBook - The computer of choice for the enlightened CS major. Come on Apple, let me do a commercial. ;-)
    "An alloc a day keeps the DRAM away!"

  4. #4
    genghiscohen's Avatar
    genghiscohen is offline Membrum virile
    Join Date
    Sep 2001
    Location
    Sea of Tranquility
    Posts
    805
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Those permissions are the same as for anything that requires admin authentication. "Any user" can't do squat, as per the "r-x" in the third permission area.
    Sure, there are security issues with OS X, but primarily only if you have physical access to the machine (unlike Windows).
    --
    "No left turn unstoned."
    (PowerBook 15" 1.5 GHz/80/1.5 GB, eMac 1 GHz/80/768 MB, SuperDrive, 250 GB FireWire HD, Lexmark Z65 printer, Epson Perfection 1200U scanner)

  5. #5
    JeffCGD is offline Registered User
    Join Date
    Jan 2002
    Posts
    432
    Thanks
    0
    Thanked 11 Times in 11 Posts

    Exclamation Holy hell. Running as root.

    Dammnit. Netinfo is running as root.
    Not good.
    Hardware Specs: 27" i5 Intel iMac w/4Gb RAM running Mac OSX 10.6.4 SnowLeopard.

  6. #6
    Krevinek's Avatar
    Krevinek is offline Evil PPC Tweaker
    Join Date
    Oct 2001
    Posts
    645
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ah holy hell, the entire Utilities folder is owned by root! My terminal app is vulnerable! My system is insecure!
    </sarcasm>

    This e-mail is a hoax. This e-mail is a fraud, and just trying to scare the crud out of someone who doesn't know any better.

    When you execute a program, it is run with YOUR permissions, no matter who owns it. So if your user name is 'foo' and root owns NetInfo, when you launch the app, it is run by 'foo', with 'foo's permissions. Now, the moment I authenticate the program by giving it an admin username+password, it DOES get run by 'root' and has root's permission. This is no different from using 'sudo' from the terminal.

    Software Update, MindVision, etc... can all run as root if they ask for an admin password. When you installed MSN Messenger 3.0, the installer was running as root after you gave it a password. This is no hole, it is how things work. To get permissions to do certain things, you need to ask for an admin username and password. Once that is done, you get permissions.

    People CANNOT run NetInfo as root without authenticating the app (the little lock button) and giving an admin's username and password. If you don't want them to be able to alter your NetInfo settings, or your System preferences, don't give them an admin account. Simple as that.

    Any questions?
    iMac G5 2.0Ghz (10.4.x, Main System)
    MacBook 1.83Ghz (...Feburary)
    "Sometimes I drive to run from all my demons \ Sometimes I drive so I can be alone \ Sometimes I drive to see the world in different light \ Sometimes I drive for no reason at all" - Assemblage 23, Drive

  7. #7
    davidbrit2's Avatar
    davidbrit2 is offline Licensed Computer Geek
    Join Date
    Sep 2000
    Location
    Michigan, USA
    Posts
    787
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Yes, most applications are owned by root, but there's a small detail you've overlooked...

    Terminal:
    Code:
    [Terminal.app/Contents/MacOS] dave% ls -l
    total 292
    -rwxrwxr-x    1 root     admin      295136 Sep  8 17:13 Terminal
    NetInfo Manager:
    Code:
    [NetInfo Manager.app/Contents/MacOS] dave% ls -l
    total 176
    -rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager
    Compare the permissions carefully:
    -rwxrwxr-x Terminal
    -rwsrwxr-x NetInfo Manager

    Notice how the owner execute permission for NetInfo Manager is 's' rather than the customary x? That means the setuid bit is on. The setuid bit causes the executable to be launched AS the owner. This is actually pretty common in UNIX. Even the ps command does this. It's just a little creepy to see an application as versatile as NetInfo Manager being launched in god mode. One small security hole in that big application, and the entire system could be vulnerable.
    You can have my iBook when you pry it from my cold, dead fingers.
    iBook - The computer of choice for the enlightened CS major. Come on Apple, let me do a commercial. ;-)
    "An alloc a day keeps the DRAM away!"

  8. #8
    Krevinek's Avatar
    Krevinek is offline Evil PPC Tweaker
    Join Date
    Oct 2001
    Posts
    645
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hmm... that *IS* rather unusual, but since I don't have Jag installed, I haven't encountered it in person yet. However, I don't see what is stopping people from changing the setuid permission into a regular execute permission and letting the app run like normal. It still authenticates, right?

    Still, it is hard to determine how this could be exploited... install a custom printer driver? HA! You have to authenticate for that, as it isn't handled directly by Print Center, but rather by Installer.

    Anyone actually see a possible hole here other than the potential for overwritten data?
    Last edited by Krevinek; September 15th, 2002 at 12:42 PM.
    iMac G5 2.0Ghz (10.4.x, Main System)
    MacBook 1.83Ghz (...Feburary)
    "Sometimes I drive to run from all my demons \ Sometimes I drive so I can be alone \ Sometimes I drive to see the world in different light \ Sometimes I drive for no reason at all" - Assemblage 23, Drive

 

 
Page 1 of 2 12 LastLast

Similar Threads

  1. A bit of nostalgia: A Salute to Mac OS X
    By simX in forum Apple News, Rumors & Discussion
    Replies: 31
    Last Post: March 24th, 2005, 06:45 AM
  2. HP Photosmart 1315 and USB Print Sharing
    By zwheeloc in forum Mac Classic System & Software
    Replies: 12
    Last Post: February 6th, 2003, 08:20 PM
  3. apps list
    By Mac Osxtopus in forum Mac OS X System & Mac Software
    Replies: 7
    Last Post: May 29th, 2002, 11:31 AM
  4. Apple: Forget XP, try the Mac
    By tagliatelle in forum Bob's Place
    Replies: 1
    Last Post: November 25th, 2001, 06:12 AM
  5. Netscape 6.1 Profile Transfer from Mac OS 9.2.1 to Mac OS X
    By chemistry_geek in forum Apple News, Rumors & Discussion
    Replies: 0
    Last Post: October 12th, 2001, 05:42 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •