Monday, January 8, 2007

MOAB-08-01-2007: Application Enhancer (APE) Local Privilege Escalation

Application Enhancer (APE) is affected by different issues, one of them is a local privilege escalation vulnerability which allows local users to gain root privileges in the system by either patching the ApplicationEnhancer binary or replacing it. This binary is executed with root privileges and drops them (via setuid to current user id), but the file is actually writable, as well as the whole tree under /Library/Frameworks, allowing the mentioned condition to be abused for privilege escalation.
Further information:

Update: We just received an e-mail suggesting that Unsanity might have fixed this issue silently (replacing their available DMG of the 2.0.2 release with a new one). Until we verify that, we can't assume they really did it (which would be the most probable reaction at their side, though). A short (yet detailed) explanation is available at the MoAB Fixes Google Group.

: Not fixed, yet:

MD5 (../ape/ape-202.dmg) = b9388ac7a64d03a07a565906b6ef4510
MD5 (../ape/silent/ape-202-orig_after.dmg) = b9388ac7a64d03a07a565906b6ef4510

No comments: