|
|
|
|
| |
| In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised. |
| |
Credit:
The original advisory can be downloaded from: http://www.atstake.com/research/advisories/2003/a102803-1.txt.
The information has been provided by Dave G. of at Stake.
|
| |
Vulnerable systems:
* Mac OS X version 10.2.8 and prior
Immune systems:
* Mac OS X version 10.3
Core file creation is disabled by default in Mac OS X. In the event that core files are enabled on an Mac OS X system, root owned processes will write a core file to the /cores directory. The name of the core file will be: core.PID(*). This file will be owned by root, and is set with 0400 permissions (read only for root, no privileges for anyone else).
(*) PID would be the process ID of the process that dumped core
Since the /cores directory is world writable and core file names are predictable, an attacker with interactive shell access can create symbolic links in this directory, pointing them to files that exist elsewhere on the file system. Through this mechanism, we can overwrite files by symbolically linking to them.
At this point, an attacker can overwrite any file with the contents of a core file. In order to read the core files, one can make a symbolic link to a file on a mounted DMG image. Any user can mount a disk image, allowing them to effectively 'steal' core files. Depending on what was in the memory of the process that dumped core, an attacker may be able to find out private information, including authentication credentials.
Vendor Response:
This is fixed in Mac OS X 10.3. The core files setting are off by default on all shipping versions of Mac OS X. For further information on Mac OS X 10.3, please see http://www.apple.com/macosx/.
Recommendation:
1) Upgrade to Panther (Mac OS X 10.3).
2) If upgrading to Panther is not an option, ensure that core file creation is disabled.
|
|
|
|
|
|
|
|
|
|
