macosxsetuidroot.txt

2001-10-24T00:00:00
ID PACKETSTORM:25379
Type packetstorm
Reporter securemac.com
Modified 2001-10-24T00:00:00

Description

                                        
                                            `Dump to text file if you find easier.  
  
http://www.securemac.com/macosxsetuidroot.php  
  
Operating System: Max OS X Version Affected: up to 10.1  
  
Security Risk: High  
Remote: No  
Fixed: No  
  
About:  
Mac OS X over the past few months have started to splout security  
concerns, this being one of the first most publicized attacks on the  
operating system. Once logged into Mac OS X, any user can obtain a root  
shell by executing a few simple applications in specific order.  
  
Mac OS X is already on computers in every sort of nature, even after the  
administrator sets up multiple accounts with specific privledges keeping  
the user from hacking a root prompt is not that simple.  
  
Take a look at the vulnerability, afterwards we will describe how this  
actually happens.  
  
Vulnerability:  
  
1. Open up the Terminal.app  
2. Quit it.  
3. Open up NetInfo Manager (leave it in the foreground)  
4. Open up Terminal.app from the *RECENT ITEMS* list in the Apple Menu.  
  
You will now see a terminal logged in as root shown with the # prompt,  
this is because the application NetInfo Manager has root privledges and  
told to be executed by the user with the systems allowance. There is a  
misinterpritation of which user is logged in because a root privledged  
program is running, thus by opening the Terminal.app from the recent items  
you are brought to a root prompt.  
  
Picture this: You walk through security with a secret agent, the officer  
does a ID check to see if the agent have high enough status to carry a  
weapon, he lets you and the agent in with the understanding that only the  
agent can carry or use the weapon. Once you are in you take the weapon  
from the agent, you do this because the person associated with you have  
the rights, suddenly you have more power. You shouldn't because the access  
was given to the one agent.  
  
Apple should and will with the next update disable the security risk of  
gaining root privledges from other programs. Bookmark this page to see  
updates and user responces.  
  
http://www.securemac.com/macosxsetuidroot.php  
  
  
  
FIX! Apple has released a fix for this security issue, to fix the vulnerability simply launch Apple's Software  
Update utility and start the download or download the fixes file here . Once download is complete and  
update is finished you must restart for changes to take effect. This wil fix the security issue discussed within  
this document.  
  
It is said that this apparently is the case with all setuid root applications... Not good.... Submitted by Eric.C  
  
You can temporarily patch this problem by going into a command shell and change the permissions of the  
Setuid applications so that only root account and admin group have privileges to execute the program. Do  
this by using the sudo command and chmod 770 setuid.app. This takes away all privileges to any user that  
isn't root or admin. - will@pnl  
  
Another user suggests keeping the password protected screensaver activated when away from the  
computer, this will help to stop users from accessing the computer yet fails to stop users with accounts from  
obtaining root privileges.  
  
`