Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Matasano Advisory: MacOS X Mach Exception Server Privilege Escalation

from [Matasano Advisories] Network Security [Permanent Link]
Subject: Matasano Advisory: MacOS X Mach Exception Server Privilege Escalation
Date: Fri, 29 Sep 2006 17:12:54 -0400 
                      Matasano Security Advisory
          MacOS X Mach Exception Server Privilege Escalation

    Release Date:    Fri Sep 29 2006
    Affects:             MacOS X 10.4 < 10.4.8, 10.3.*, OpenStep 4.2
    Severity:            High - Local root privilege escalation
    Credit:               Dino Dai Zovi <ddz _at_ matasano.com>
    Vendor Status:  MacOS X 10.4.8 fixes vulnerability
    Workarounds:   None

I. Synopsis

MacOS X uses Mach exception ports to support the CrashReporter
"Application Quit Unexpectedly" dialog, Problem Report dialog, process
debugging, and crash dumps logs.

On vulnerable operating systems, attackers can exploit the inheritance
of Mach exception ports to inject code into SUID processes, allowing
nonprivileged users to assume root privileges.

II. Description

A number of Mach-based Unix operating systems (including MacOS X and
OpenStep) allow SUID executables to inherit the parent processes'
exception ports.  When an exception notification is received, the
parent calls the kernel exception server exc_server() to process the
exception and call any of a set of defined callback functions.  The
catch_exception_raise() callback is given Mach port send rights to
the Mach thread that generated the exception and the task containing
the thread. These rights allow the parent to modify the thread's
context and the task's address space.  A parent process may exploit
this by allocating memory in the child task's address space, copying
in executable code, and causing a thread in the task to execute the
injected code.

Exploiting this vulnerability requires a SUID root executable that can
forced to generate an exception.  A number of common setuid root
binaries like /usr/bin/at or /usr/bin/rlogin crash when executed with
a NULL argv pointer, and this suffices to enable exploitation of this
vulnerability.

III. Target

This vulnerability has been exploited on MacOS X 10.4 and 10.3 and
verified to exist on OpenStep 4.2.  It is assumed that releases of
MacOS X prior to 10.3 are also vulnerable, as well as earlier releases
of OpenStep and NeXTSTEP.

IV. Impact

Unprivileged attackers with local access can obtain root credentials.

V. Vendor Response

Apple has resolved this vulnerability as of MacOS X 10.4.8.

VI. Workarounds

As this vulnerability exists in the operating system kernel, there are
no known workarounds.

VII. Origin

Dino Dai Zovi, Matasano Security
ddz _at_ matasano.com
http://www.matasano.com
http://www.matasano.com/log

For the more information and updates on this advisory, see the
expanded version on our blog:

http://www.matasano.com/log/530/matasano-advisory-macos-x-mach- exception-server-privilege-escalation/

or contact:

advisories _at_ matasano.com

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Matasano Advisory: MacOS X Mach Exception Server Privilege Escalation, Matasano Advisories <=
Previous by Date:  rPSA-2006-0175-2 openssl openssl-scripts, rPath Update Announcements
Next by Date:  rPSA-2006-0176-1 openldap openldap-clients openldap-servers, rPath Update Announcements
Previous by Thread:  rPSA-2006-0175-2 openssl openssl-scripts, rPath Update Announcements
Next by Thread:  rPSA-2006-0176-1 openldap openldap-clients openldap-servers, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]