|
|
|
|
| |
Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
1) a security issue regarding DMG files managed by Mac OS X
2) insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary. |
| |
Credit:
The original advisory can be downloaded from: http://www.atstake.com/research/advisories/2003/a102803-2.txt.
The information has been provided by Dave G. of at Stake.
|
| |
Vulnerable systems:
* Mac OS X 10.2.8 and prior
Immune systems:
* Mac OS X 10.3
Issue #1: DMG File Permissions
Mac OS X will reset permissions on directories dragged off a DMG to global read/write/execute when they are dragged off the disk image. It will exhibit the same behavior when dragging folders onto a mounted DMG. This resetting does not appear to occur on files, only directories. Since these directories contain application binaries, attackers with interactive access to a Mac OS X system can overwrite many applications with Trojan binaries. These Trojan binaries would escalate the privileges of the attacker to the privileges of the unsuspecting user who ran them.
Issue #2: Incorrect Vendor-Specified File Permissions
Many Mac OS X vendors, both large and small, package and ship applications with insecure file permissions. World writable files have included:
1) Application and support executables
2) Directories
3) Shared objects
4) Configuration files
5) HTML and JavaScript
Typically, these files have existed within the following directories (but not exclusively):
1) /Applications
2) /Library/Application Support
3) /Library/StartupItems
The number of vendors affected by this is large, and individual applications affected are not provided within this advisory. However, the recommendations section provides a UNIX command that can be used to identify insecure file permissions.
Vendor Response:
This is fixed in Mac OS X 10.3 where Finder will preserve the permissions on copied folders. For any existing folders, it is possible to manually change the permissions to the desired setting through the Get Info command in the File menu of the Finder, then modifying the "Ownership & Permissions" settings for the selected folder or file. Disk Utility, found in /Applications/Utilities is also helpful in setting system-wide folder permissions via the "Repair Disk Permissions" button.
For further information on Mac OS X 10.3, please see http://www.apple.com/macosx/.
Recommendations:
1) Review the file and directory permissions in the following directories: /Applications, /Library/Application Support and /Library/StartupItems.
While it may make sense to remove global write permissions on all directories in /Applications, this may break the functionality of certain applications. To attempt this, execute the following command from within Terminal.app:
find /Applications -type d -exec chmod o-w {} \;
Warning: this command may break certain applications.
2) Upgrade to Panther (Mac OS X 10.3).
3) When installing applications, use the UNIX cp(1) command.
|
|
|
|
|
|
|
|
|
|
