Mac OS X /sbin/service Path Subversion Privilege Escalation

2007-01-21T10:48:45
ID OSVDB:31605
Type osvdb
Reporter Kevin Finisterre(kf@digitalmunition.com)
Modified 2007-01-21T10:48:45

Description

Vulnerability Description

Mac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when 'writeconfig' fails to sanitize the PATH environment variable, allowing an attacker to direct the utility to point to a malicious launchctl executable. This flaw may lead to a loss of integrity.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Mac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when 'writeconfig' fails to sanitize the PATH environment variable, allowing an attacker to direct the utility to point to a malicious launchctl executable. This flaw may lead to a loss of integrity.

References:

Vendor Specific News/Changelog Entry: http://docs.info.apple.com/article.html?artnum=305391 Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1017941 Secunia Advisory ID:23793 Secunia Advisory ID:24966 Other Advisory URL: http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html Other Advisory URL: http://projects.info-pull.com/moab/MOAB-21-01-2007.html ISS X-Force ID: 31677 FrSIRT Advisory: ADV-2007-1470 FrSIRT Advisory: ADV-2007-0074 CVE-2007-0022 Bugtraq ID: 22148