Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RsyncX vulnerabilities

from [Matt Johnston] Network Security [Permanent Link]
Subject: RsyncX vulnerabilities
Date: Fri, 17 Sep 2004 17:15:28 +0800 
Product: RsyncX is a frontend for rsync running on OS X,
with additional features such as crontab editing.

http://www.macosxlabs.org/rsyncx/rsyncx.html

Problems:

1) RsyncX is installed setuid root and setgid wheel.

Upon execution, the program drops root privileges (only via
seteuid(getuid()) ). However it does not drop wheel-group
privileges. This allows any user to execute arbitrary
programs with egid=wheel. I assume it's also vulnerable to
other attacks given it doesn't totally drop root privileges,
though I didn't investigate that.

Since "defaults" is run according to the user's path,
System\ Preferences.app can be replaced with an arbitrary
program as follows:

First, make a backup of System\ Preferences.app

Create an executable file ~/bin/defaults with contents of:

=============================
#!/bin/sh                                                                       
mv "/Applications/System Preferences.app/Contents" "/Applications/System 
Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System 
Preferences.app/Contents"
=============================

Then run RsyncX with ~/bin in your path:

PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX

Click on System Preferences, and is now a calculator.

2) RsyncX uses a fixed file in /tmp allowing /etc/crontab to be
user-controlled.

When using the scheduler component of RsyncX, /tmp/cron_rsyncxtmp
is insecurely used. A user can create a dir /tmp/blahdir,
then 
ln -s /tmp/blahdir/file /tmp/cron.rsyncxtmp

After RsyncX scheduler is used by an admin, /etc/crontab
will become a symlink pointing to /tmp/blahdir/file.
/tmp/blahdir is controlled by the user. Issues probably also
exist with the "chown root; chmod u+s" on that file - I
haven't fully investigated that.



Workarounds:

For setuid/setgid issues, change permissions on RsyncX so
that it is only executable by admins, or not installed
setuid or setgid.

For the /tmp insecurity, don't use the RsyncX scheduler.

Versions:

RsyncX 2.1 was tested.

Developer Response:

Regarding the failure to drop gid=wheel, I was told that the
program uses Apple Security Services to control authorized
access, and that "any admin can gain root privs in OS X". I
received no response when I confirmed that it was _any_
user, not just admins.

With the /tmp insecurity, I was told that there are a few
bugs in the scheduler. 

These were reported to the developer on 8 Sept 2004.


Matt Johnston 
matt ucc.asn.au
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • RsyncX vulnerabilities, Matt Johnston <=
Previous by Date:  RE: [Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, pingywon MCSE
Next by Date:  [Full-Disclosure] Re: [exploitwatch.org] ALERT: Windows XP JPEG Buffer Overflow POCExploit, Clemens, Dan
Previous by Thread:  [Full-Disclosure] RE: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access, Michael Scheidell
Next by Thread:  [Full-Disclosure] Re: [exploitwatch.org] ALERT: Windows XP JPEG Buffer Overflow POCExploit, Clemens, Dan
Indexes:  [Date] [Thread] [Top] [All Lists]