mytvx-root.txt

`Version 1.0  
October 1996  
CERT(R) Coordination Center  
Product Vulnerability Reporting Form  
  
CONTACT INFORMATION  
========================================================================   
=======  
  
Name : David Wharton  
E-mail : [email protected]  
Phone / fax :  
Affiliation and address: Information Security Graduate Student at   
Georgia Tech (http://www.cc.gatech.edu/education/grad/ms-infosec)  
  
  
Have you reported this to the vendor? [yes/no] yes  
  
If so, please let us know whom you've contacted:  
  
Date of your report : 5 Apr 2007  
Vendor contact name : Pedro Muniz  
Vendor contact phone :  
Vendor contact e-mail : [email protected] (April 5, 2007),   
[email protected] (April 18, 2007, May 10, 2007)  
Vendor reference number :  
  
  
POLICY INFO  
========================================================================   
=======  
We encourage communication between vendors and their customers. When  
we forward a report to the vendor, we include the reporter's name and  
contact information unless you let us know otherwise.  
  
If you want this report to remain anonymous, please check here:  
  
___ Do not release my identity to your vendor contact.  
  
  
TECHNICAL INFO  
========================================================================   
=======  
If there is a CERT Vulnerability tracking number please put it  
here (otherwise leave blank): VU#______.  
  
  
Please describe the vulnerability.  
Summary:  
MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication   
bypass and root access on Apple Mac OS X.  
  
Details:  
MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR is the software that ships   
with MyTV, a Personal Video Recorder (PVR) manufactured by Escape   
Labs (http://www.eskapelabs.com/mytv.html). MyTV.PVR is an external   
hardware device that connects to a computer via USB. The PVR   
hardware can receive infrared signals and this is designed to support   
input from a channel changer. However, when a computer running MyTV/   
x version 3.6.6 or 4.0.8 on Apple Mac OS X (I have confirmed this is   
true for 10.4.9-10.4.11 but dot not know about other versions of OS   
X) starts up, a local user can, without authenticating, cause the   
MyTV/x software to launch as root. When the program launches, it   
brings up the MyTV/x menus along with the Apple menu. From the Apple   
menu, you can open up System Preferences and because you are running   
as root, you can add (and remove) users, including Administrators.   
After fooling around with it, I was able to get to the Finder, open a   
shell, and verify that root access had been gained.  
  
Steps To Reproduce:  
1) Install MyTV/x Version 3.6.6 or 4.0.8 and attach (and power on)   
MyTV.PVR.  
2) (Re)boot.  
3) When the authentication "window" comes up asking you to log in to   
OS X, point the channel changer (this is included with MyTV.PVR) at   
the PVR device and press the "Power" button.  
4) MyTV/x launches (as root) and gives access to the Apple menu which   
gives access to the entire computer.  
  
What is the impact of this vulnerability?  
- -----------------------------------------  
  
a) What is the specific impact:  
Local user can gain root access without doing any authentication  
b) How would you envision it being used in an attack scenario:  
Well, you have to have physical access and be running the vulnerable   
software as well as its associated hardware but if the situation is   
right, root access can be gained and then there are a myriad of   
possibilities....  
  
To your knowledge is the vulnerability currently being exploited?  
- -----------------------------------------------------------------  
[yes/no] no  
  
If there is an exploitation script available, please include it here.  
- ---------------------------------------------------------------------  
  
Do you know what systems and/or configurations are vulnerable?  
- --------------------------------------------------------------  
[yes/no] (If yes, please list them below)  
  
yes  
  
System : Apple Mac  
OS version : 10.4.9, 10.4.11  
Verified/Guessed: verified 10.4.9, 10.4.10, 10.4.11, guessed 10.x  
  
Software: MyTV/x Version 3.6.6 (http://www.eskapelabs.com/files/CD-   
MYPVR-V1.4.dmg.gz)  
MyTV/x Version 4.0.8  
  
Are you aware of any workarounds and/or fixes for this vulnerability?  
- ---------------------------------------------------------------------  
[yes/no] (If you have a workaround or are aware of patches  
please include the information here.)  
no  
  
  
OTHER INFORMATION  
========================================================================   
===  
Is there anything else you would like to tell us?  
  
Some pictures of root access without authenticating are available   
upon request. I spoke with Apple about this vulnerability and they   
said, "Mac OS X applications running as root are allowed to display   
UI even when no user is logged in." Apple encouraged me to continue   
to work with CERT and Escape Labs on this issue.  
  
- --------  
CERT and CERT Coordination Center are registered in the U.S. Patent   
and Trademark office.  
  
`