|
|
|
|
| |
| A serious security exploit has been found in Mac OS X 10.1 (in fact, as it turns out, it has been present in 10.0.x versions as well). Using this exploit any user at the Desktop can gain root access to the machine. |
| |
Credit:
The information has been provided by Scott Anguish and Luke Gill.
|
| |
The problem is caused by applications that are set-uid root (that is, regardless of the user that runs them, they have root permissions). Normally these programs have a limited scope of functionality so that damage is minimized. However, it appears that any items launched from the Apple->Recent Items menu inherit the root user privileges. Additionally, any other apps in the Apple menu (i.e. System Preferences) can be launched as root using this hole.
This can be demonstrated using the following technique:
1) Launch Terminal
2) Type whoami and hit return (this will show you who you are logged in as)
3) Quit Terminal
4) Launch NetInfo Manager
5) Select Apple Menu->Recent Items->Terminal
6) Type whoami and hit return (you will now be root)
7) Quit Terminal (so you do not accidentally leave root logged in)
This is a serious problem, and works even if the root user has never been enabled on the machine. Apple will need to release an update to Mac OS X 10.1 to ensure that this exploit is closed. Apple is aware of this issue, and a fix is already in progress.
You can find any set-uid root programs on your system using the following command:
sudo find / -perm -4000 -user root -print
This will print a list of all the applications on your system that are set to run as root even if you are not logged in as root. There are a number of them, but only applications that provide an Aqua user interface are of concern for this particular exploit. In particular, you may want to consider further securing the following applications
/Applications/Utilities/Disk Utility.app
/Applications/Utilities/NetInfo Manager.app
/Applications/Utilities/Print Center.app
By making then runable only by root and members of the admin group:
sudo chmod o-x \
'/Applications/Utilities/Disk Utility.app/Contents/MacOS/Disk Utility' \
'/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/NetInfo Manager' \
'/Applications/Utilities/Print Center.app/Contents/MacOS/PrintingReset'
This may affect the application or user experience. You may even want to make them only executable by root (change the chmod o-x to chmod go-x above).
Additionally, some third party applications have been distributed set-uid root and could provide additional sources of concern to the items specifically mentioned above.
|
|
|
|
|
|
|
|
|
|
