crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges.UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run anyFurther information:InputManagerprovided by the user. Code within the input manager will run under wheel privileges. In combination withdiskutiland a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
The preference panes setuid helper,writeconfig, makes use of a shell script which lacks ofPATHsanitization, allowing users to execute arbitrary binaries under root privileges.
"Also, I’m pretty sure the SoD realized that writing to an SUID executable clears the SUID bit." -- Thomas Ptacek, Matasano.Actually, the problem isn't 'writing to setuid binaries' but the fact that diskutil "repairs permissions", thus after replacing directories, binaries and any other file, the original modes are set back. In other words: replace setuid binary with one of your choice (given that a BOM/Bill of Materials file acknowledges it's existence and properties), run diskutil repair permissions, profit. It remains unknown if Thomas just didn't understand the point or simply continues his usual blog wagon. Probably both.
Further information:rumpusdis vulnerable to different remotely exploitable heap-based buffer overflows, denial of service conditions and local privilege escalation issues. Due to the fact that Rumpus works under root privileges, successful exploitation by unprivileged users would allow a full compromise of the system.
Most of these issues are related to both FTP and HTTP request parsing, as well as insecure use of thesystem()function and incorrect permissions and/or handling of setuid binaries.
slpdis vulnerable to a buffer overflow condition when processing the attr-list field of a registration request, leading to an exploitable denial of service condition and potential arbitrary execution. It would allow unprivileged local (and possibly remote) users to execute arbitrary code under root privileges.
Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid).The _ATPsndrsp function is vulnerable to a heap-based buffer overflow condition, due to insufficient checking of user input. This leads to a denial of service condition and potential arbitrary code execution by unprivileged users.
Application Enhancer (APE) is affected by different issues, one of them is a local privilege escalation vulnerability which allows local users to gain root privileges in the system by either patching theFurther information:ApplicationEnhancerbinary or replacing it. This binary is executed with root privileges and drops them (via setuid to current user id), but the file is actually writable, as well as the whole tree under/Library/Frameworks, allowing the mentioned condition to be abused for privilege escalation.
MD5 (../ape/ape-202.dmg) = b9388ac7a64d03a07a565906b6ef4510
MD5 (../ape/silent/ape-202-orig_after.dmg) = b9388ac7a64d03a07a565906b6ef4510
A vulnerability in the handling of BOM files allows to set rogue permissions on the filesystem via the 'diskutil' tool. This can be used to execute arbitrary code and escalate privileges. A malicious user could create a BOM declaring new permissions for specific filesystem locations (ex. binaries, cron and log directories, etc). Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges.
