Bugtraq mailing list archives
Re: Local root exploit on Mac OS X with Adobe Version Cue
From: Chet Ramey <chet () caleb ins cwru edu>
Date: Tue, 7 Dec 2004 14:05:14 -0500
Local root exploit on Mac OS X 10.3.6 with Adobe products installed Found by Jonathan Bringhurst <fintler () gmail com.NOSPAM> Summary: It's possible to create a suid root shell with a non-privileged user on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe Version Cue is installed by default with virtually every recent Adobe product. This most likely affects many versions of Mac OS X and Adobe Version Cue. Details: Scripts to start and stop Adobe Version Cue are suid root and do not make any checks to see if they are running from the correct path. By setting the current path to a controlled directory and creating scripts with specific names, a user can have a custom script run euid root.
This is the result of an Apple-introduced problem in bash-2.05b. Bash, as distributed, gives up setuid privileges when invoked without the -p option, if the kernel allows setuid scripts to run. Apple changed bash to keep setuid if bash is invoked as `sh'. You can solve this particular problem by removing the setuid bit from the scripts and tightening up path checking, but it's going to be a potential problem until Apple reconsiders their permitting setuid scripts. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet ) Live...Laugh...Love Chet Ramey, ITS, CWRU chet () po cwru edu http://tiswww.tis.cwru.edu/~chet/
Current thread:
- Local root exploit on Mac OS X with Adobe Version Cue fintler (Dec 07)
- Re: Local root exploit on Mac OS X with Adobe Version Cue Chet Ramey (Dec 07)