|
|
|
|
| |
Credit:
The information has been provided by iDefense.
The original article can be found at:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
|
| |
Vulnerable Systems:
* Mac OS X version 10.4.10, both Server and Workstation.
* (Previous versions may also be affected.)
When executing a setuid-root binary, the Mach kernel does not reset the current thread Mach port, or the current thread Mach Exception Port. By first creating and obtaining write access to a Mach port, and then executing a set-uid root binary, an attacker can write arbitrary data into the address space of the process running as root. This leads to arbitrary code execution in the privileged process.
Successful exploitation of this vulnerability results in the execution of arbitrary code with root privileges. All an attacker needs is a setuid-root binary and permission to execute it. In a default install, there are numerous binaries that meet these requirements.
Vendor Status:
Apple addressed this vulnerability within their Mac OS X 2007-008 security update.
http://docs.info.apple.com/article.html?artnum=307041
CVE Information:
CVE-2007-3749
Disclosure Timeline:
* 09/07/2007 - Initial vendor notification
* 09/10/2007 - Initial vendor response
* 11/14/2007 - Coordinated public disclosure
|
|
|
|
|
