|
COMMAND Mac OS NetInfo Manager local root rights abuse SYSTEMS AFFECTED Mac OS X 10.2 Jaguar PROBLEM Christopher Allene [cwis@nerim.fr] says : There is a severe security issue with Mac OS X 10.2 Jaguar, which allows any user of the system to navigate through the entire filesystem, and possibly overwrite any file. The security issue lies within the "NetInfo Manager" application, which is setuid root. Whenever an user runs this application, the entire appliation is running as root. Therefore, if the user runs "NetInfo Manager" and chooses to print the window content by choosing "Domain: Print", the Print dialog is running as root? By choosing to "Save as PDF", the associated file manager window is itself running as root, thus allowing the user to navigate all files on the connected hard disks. Moreover, by creating a filesystem link to any file of the filesystem, calling the link "dummy.pdf", and then saving the PDF over this link, the user is then allowed to overwrite the contents of any file of the filesystem, including system files or files owned by other users on the system. Although this security hole cannot be used to gain priviledged status with a clean install of Jaguar, it might be possible for a malicious user to install a custom Print Driver of his choosing, which could, for exemple, run a copy of Terminal.app as root, thus allowing the attacker to gain root access. A similar security issue has already been discovered a few month ago, where running "NetInfo Manager" allowed any user to become root while choosing a program from the Apple menu. Setuid applications have severe security implications, this should not been forgotten. Also, note that from all the programs shipped with Jaguar which are setuid root, NetInfo Manager is the only program which does not "drop priviledges". SOLUTION