SecuriTeam - Mac OS X launchd Race Condition Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

"launchd manages daemons, both for the system as a whole and for individual users. Ideal daemons can launch on demand based on criteria specified in their respective XML property lists located in one of the directories specified in the FILES section.
During boot launchd is invoked by the kernel to run as the first process on the system and to further bootstrap the rest of the system."

By replacing file sockets used by launchd with symbolic links to a file that the attacker does not have access to, it is possible to gain ownership of this file or run code with root privileges.

Credit:
The information has been provided by Suresec Advisories.
The original article can be found at: http://www.suresec.org/advisories/adv3.pdf

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Mac OS X version 10.4

Immune Systems:
* Mac OS X version 10.4.1
* Mac OS X Server version 10.4.11

The launchd tool, when invoked, uses the launchd_server_init() function to set up temporary files in the /tmp directory. It first creates a directory with the name of the invoking user's current uid. It then uses the chown() function to modify the ownership of the directory to belong to the invoking user.
After this has occurred a socket (file) is created inside this directory and the chown() function is again called to give this file ownership permissions of the invoking user.

A race condition exists here. If a malicious user removes the newly created socket and replaces it with a symbolic link to any file which they don't own. If this is timed to be in between the function call to create the socket, and the chown() call the symbolic link will be followed. This gives the malicious user the ability to effectively "steal" the ownership of any file or directory on the system.

Successful exploitation of this vulnerability will allow a malicious user to "steal" ownership of any file on the system. Using this to gain access to a root shell is a trivial process.

Vendor Status:
Information about vendor update can be found at: http://docs.info.apple.com/article.html?artnum=301742

CVE Information:
CAN-2005-1725

	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
	WordPress Unrestricted File Upload Arbitrary PHP Code Execution
	Atheros Driver Reserved Frame DoS Vulnerability
	McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability