Monday, January 15, 2007

MOAB-15-01-2007: Multiple Mac OS X Local Privilege Escalation Vulnerabilities

Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid).

Further information:
Thanks to Ian Silvester for donating to the project!

2 comments:

grauv said...

users in the admin group are sudoers. Wouldn't a `sudo su´ be sufficient to gain root?

lmh said...

That asks for password. The whole point about privilege escalation vulnerabilities is actually not requiring any type of authentication / credentials in order to gain privileges.

This can be coupled with a remote exploit in for example, the Quicktime issue.

Malware infecting an user in the admin group can make use of it for escalating privileges too.