Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation Vulnerability
Date: 27 May 2007 18:06:33 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation 
Vulnerability
------------------------------------------------------------------------


SUMMARY

Apple Mac OS X  
<http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/pppd.8.html>
 pppd is "a setuid root application that is used to establish and configure 
connections for point to point links. It is commonly used for configuring 
traditional dial-up modem and DSL connections".

Local exploitation of a privilege escalation vulnerability in Apple 
Computer Inc.'s Mac OS X pppd could allow an attacker to gain root 
privileges.

DETAILS

Vulnerable Systems:
 * pppd in version 10.4.8 of Mac OS X.
 * Other versions may also be affected.

The vulnerability exists due to insufficient access validation when 
processing the "plugin" command line option. The application does not 
properly verify that the requesting user has root privileges and allows 
any user to load plug-ins.

When checking to see if the executing user has root privileges, a check is 
made to see if the stdin file descriptor is owned by root. Passing this 
check is trivial and allows the attacker to load arbitrary plug-ins 
resulting in arbitrary code execution with root privileges.

Exploitation is trivial and grants root access.

This vulnerability cannot be triggered remotely; an attacker needs local 
access to the victim's system in order to exploit this vulnerability. pppd 
is installed by default.

Workaround:
Remove the setuid bit from the pppd binary. This will prevent users 
without root privileges from being able to properly use the program.

Vendor Status:
Apple Inc has addressed this vulnerability in Apple Security Update 
2007-005. More information can be found from Apple's Security Update page 
or the Security Update 2007-005 advisory page at the respective URLs 
below.
 <http://docs.info.apple.com/article.html?artnum=61798> 
http://docs.info.apple.com/article.html?artnum=61798
 <http://docs.info.apple.com/article.html?artnum=305530> 
http://docs.info.apple.com/article.html?artnum=305530

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0752> 
CVE-2007-0752

Disclosure Timeline:
 * 01/08/2007 - Initial vendor notification
 * 01/09/2007 - Initial vendor response
 * 05/24/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
 
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537> 
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation Vulnerability, SecuriTeam <=
Previous by Date:  [NT] Opera Software Opera Web Browser Transfer Item Pop-up Menu Stack Overflow Vulnerability, SecuriTeam
Previous by Thread:  [NT] Opera Software Opera Web Browser Transfer Item Pop-up Menu Stack Overflow Vulnerability, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]