severe security issue with Mac OS X 10.2

profx

profx

ill never 4get watsisname
This is an email that was forwarded to me:

There is a severe security issue with Mac OS X 10.2 Jaguar, which allows
any user of the system to navigate through the entire filesystem, and
possibly overwrite any file. The security issue lies within the "NetInfo
Manager" application, which is setuid root. Whenever an user runs this
application, the entire appliation is running as root.

Therefore, if the user runs "NetInfo Manager" and chooses to print the
window content by choosing "Domain: Print", the Print dialog is running
as root? By choosing to "Save as PDF", the associated file manager
window is itself running as root, thus allowing the user to navigate all
files on the connected hard disks. Moreover, by creating a filesystem
link to any file of the filesystem, calling the link "dummy.pdf", and
then saving the PDF over this link, the user is then allowed to
overwrite the contents of any file of the filesystem, including system
files or files owned by other users on the system.

Although this security hole cannot be used to gain priviledged status
with a clean install of Jaguar, it might be possible for a malicious
user to install a custom Print Driver of his choosing, which could, for
exemple, run a copy of Terminal.app as root, thus allowing the attacker
to gain root access.

A similar security issue has already been discovered a few month ago,
where running "NetInfo Manager" allowed any user to become root while
choosing a program from the Apple menu. Setuid applications have severe
security implications, this should not been forgotten.

Also, note that from all the programs shipped with Jaguar which are
setuid root, NetInfo Manager is the only program which does not "drop
priviledges".

I am hoping that a security fix will be available as soon as possible.
For the good of the community, I am not going to divulge this security
issue for a reasonable period of time or until you provide a fix or
publish a technical note about it, whichever comes first. Do not
hesitate to contact me should you need more information about this
problem,

E-Secure-IT Administrator
http://www.e-secure-it.co.nz
 
I don't believe this is true. Apple fixed this AFAIK, in 10.1 or earlier.

Originally Netinfo Manager ran as root, but I don't believe it does now.
 
Ooh, that's kinda freaky...

Code: 
[NetInfo Manager.app/Contents/MacOS] dave% ls -l
total 176
-rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager
[NetInfo Manager.app/Contents/MacOS] dave%

This is with a clean 10.2 install, and Repair Permissions done this morning. Shudder...

Still, when NetInfo Manager invokes the printing components, do those get launched as root, too? Or do they come up under the proper user? I'll have to do some research with ps -auxw, I think...
 
Those permissions are the same as for anything that requires admin authentication. "Any user" can't do squat, as per the "r-x" in the third permission area.
Sure, there are security issues with OS X, but primarily only if you have physical access to the machine (unlike Windows).
 
Ah holy hell, the entire Utilities folder is owned by root! My terminal app is vulnerable! My system is insecure!
</sarcasm>

This e-mail is a hoax. This e-mail is a fraud, and just trying to scare the crud out of someone who doesn't know any better.

When you execute a program, it is run with YOUR permissions, no matter who owns it. So if your user name is 'foo' and root owns NetInfo, when you launch the app, it is run by 'foo', with 'foo's permissions. Now, the moment I authenticate the program by giving it an admin username+password, it DOES get run by 'root' and has root's permission. This is no different from using 'sudo' from the terminal.

Software Update, MindVision, etc... can all run as root if they ask for an admin password. When you installed MSN Messenger 3.0, the installer was running as root after you gave it a password. This is no hole, it is how things work. To get permissions to do certain things, you need to ask for an admin username and password. Once that is done, you get permissions.

People CANNOT run NetInfo as root without authenticating the app (the little lock button) and giving an admin's username and password. If you don't want them to be able to alter your NetInfo settings, or your System preferences, don't give them an admin account. Simple as that.

Any questions?
 
Yes, most applications are owned by root, but there's a small detail you've overlooked...

Terminal:
Code: 
[Terminal.app/Contents/MacOS] dave% ls -l
total 292
-rwxrwxr-x    1 root     admin      295136 Sep  8 17:13 Terminal

NetInfo Manager:
Code: 
[NetInfo Manager.app/Contents/MacOS] dave% ls -l
total 176
-rwsrwxr-x    1 root     admin      176956 Sep  8 17:16 NetInfo Manager

Compare the permissions carefully:
-rwxrwxr-x Terminal
-rwsrwxr-x NetInfo Manager

Notice how the owner execute permission for NetInfo Manager is 's' rather than the customary x? That means the setuid bit is on. The setuid bit causes the executable to be launched AS the owner. This is actually pretty common in UNIX. Even the ps command does this. It's just a little creepy to see an application as versatile as NetInfo Manager being launched in god mode. One small security hole in that big application, and the entire system could be vulnerable.
 
Hmm... that *IS* rather unusual, but since I don't have Jag installed, I haven't encountered it in person yet. However, I don't see what is stopping people from changing the setuid permission into a regular execute permission and letting the app run like normal. It still authenticates, right?

Still, it is hard to determine how this could be exploited... install a custom printer driver? HA! You have to authenticate for that, as it isn't handled directly by Print Center, but rather by Installer.

Anyone actually see a possible hole here other than the potential for overwritten data?
 
Since the program would write its preference file as root, you could make com.apple.NetInfoManager.plist a symlink to anything on the disk. When NetInfo Manager goes to write its preferences, they'll get tossed over top of whatever you want. I haven't thought of any way to write arbitrary data, but this could at least be used to destroy the system.

You could probably make the program safer by removing the 'other' execute permission (chmod o-x) so that only root or Administrators can run it.
 
I personally would see how it runs (and if it works) without the setuid bit. I have doubts that it truly needs it myself.
 
This email was posted to Bugtraq. It is not the old netinfo-terminal root exploit.

It does however require the insane step of making a custom printer driver (!) that then loads the terminal as root. Pretty damn unlikely.

I'm sure apple will fix it but it is NOT a severe bug. It is a nearly impossible to exploit bug.
 
Okay, so lemme get this straight... the user has to write a custom printer driver, GET THAT INSTALLED (How? Social Engineering is required, or having an Admin password, which makes the whole exploit moot), then print something from an app such as NetInfo being run as root...

Until I see a method of getting a custom printer driver installed WITHOUT at least admin privs, or an admin password, this exploit cannot be taken advantage of to get root access in the terminal. If they had either, they already CAN get root access in the terminal with that admin password.

Yes, it is bad that this app is running as root. I just don't see how it could be used for anything but file-destroying purposes.
 
Originally posted by Krevinek
Yes, it is bad that this app is running as root. I just don't see how it could be used for anything but file-destroying purposes.
Click to expand...

Krevinek, while I agree with the mechanical analysis completely, I do not agree with your liability assessment. Data descruction is pretty darn bad. Like, oh, printing to a PDF called "/bin/tcsh" :p

And it's true you need physical access to the computer, in which case one can just boot to a CD and mess about. But then again I don't like to leave loose ends lying about, no matter how small.
 
True... I am just saying this isn't quite as bad as people think it could be ;)

After all, don't I need physical access or VNC to control NetInfo to do the deed? Apple will take their time on this one... maybe a Sept Security Update will address it.
 
Oh yeah, I'm not bugging out; just giving my $0.02, and I agree that Apple will pro'lly do something about it in the near future. :cool:
 
You must log in or register to reply here.
Back
Top