16th Sep 2002 [SBWID-5690]
COMMAND
Mac OS NetInfo Manager local root rights abuse
SYSTEMS AFFECTED
Mac OS X 10.2 Jaguar
PROBLEM
Christopher Allene [cwis@nerim.fr] says :
There is a severe security issue with Mac OS X 10.2 Jaguar, which
allows any user of the system to navigate through the entire
filesystem, and possibly overwrite any file. The security issue lies
within the "NetInfo Manager" application, which is setuid root.
Whenever an user runs this application, the entire appliation is
running as root.
Therefore, if the user runs "NetInfo Manager" and chooses to print the
window content by choosing "Domain: Print", the Print dialog is running
as root? By choosing to "Save as PDF", the associated file manager
window is itself running as root, thus allowing the user to navigate
all files on the connected hard disks. Moreover, by creating a
filesystem link to any file of the filesystem, calling the link
"dummy.pdf", and then saving the PDF over this link, the user is then
allowed to overwrite the contents of any file of the filesystem,
including system files or files owned by other users on the system.
Although this security hole cannot be used to gain priviledged status
with a clean install of Jaguar, it might be possible for a malicious
user to install a custom Print Driver of his choosing, which could, for
exemple, run a copy of Terminal.app as root, thus allowing the attacker
to gain root access.
A similar security issue has already been discovered a few month ago,
where running "NetInfo Manager" allowed any user to become root while
choosing a program from the Apple menu. Setuid applications have severe
security implications, this should not been forgotten.
Also, note that from all the programs shipped with Jaguar which are
setuid root, NetInfo Manager is the only program which does not "drop
priviledges".
SOLUTION
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
