Sunday, January 21, 2007

MOAB-21-01-2007: System Preferences writeconfig Local Privilege Escalation Vulnerability

The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges.

Further information:
This week will be a really interesting one.
"Also, I’m pretty sure the SoD realized that writing to an SUID executable clears the SUID bit." -- Thomas Ptacek, Matasano.
Actually, the problem isn't 'writing to setuid binaries' but the fact that diskutil "repairs permissions", thus after replacing directories, binaries and any other file, the original modes are set back. In other words: replace setuid binary with one of your choice (given that a BOM/Bill of Materials file acknowledges it's existence and properties), run diskutil repair permissions, profit. It remains unknown if Thomas just didn't understand the point or simply continues his usual blog wagon. Probably both.

No comments: