iSync vulnerability for OS X +fix (?)
There was a big security dump on OS X a bit ago, but that got picked up enough I didn't really worry about it. This one is a little odder, Secunia is reporting that mRouter, via iSync, has a buffer overflow:
The vulnerability is caused due to a boundary error in the handling of the "-v" and "-a" command line options. This can be exploited to cause a buffer overflow by supplying an overly long argument (over 4096 bytes). Successful exploitation allows execution of arbitrary code with the privileges of the mRouter application.
Mac OS 10.3.7 and under are affected, but remember that while this isn't good it's a local attack and not remote. I.E., the evildoer would need access to your system in some way. Either by sitting at the keyboard, or through a piece of malware or something else in that vein. This is the type of thing someone exploits to completely own your box once they've gotten onto your system another way.
No patch from Apple (yet) and possibly won't be for older systems, but there is a fix...
Remove the setuid bit from: "/System/Library/SyncServices/SymbianConduit. bundle/Contents/Resources/mRouter"
Since that'll be greek to most people... with a unix, you normally think in terms of three groups of permissions: owner, group, and everybody else. There's a fourth set though, and when these permissions are set any user who runs that executable file assumes the user ID of the owner (or group) of the executable file. Yeah, scary, but hey, there are cases in a unix system where you need to be able to do that.
To remove the setuid bit from mRouter, dropping the following command into your terminal should work, after entering your password (all one line):
sudo chmod a-s /System/
Library/SyncServices/SymbianConduit.
bundle/Contents/Resources/mRouter
Please remember that it's 8am, and I'm on my first cup of coffee, so if this screws something up regarding iSync in some way I'm not going to worry about it... but that's how you turn off the SetUID bit if you're worried.
However, if you end up doing it and need to turn it back, this command should do it (all one line):
sudo chmod 4755 /System/
Library/SyncServices/SymbianConduit.
bundle/Contents/Resources/mRouter
Remember that neither I nor the cow is responsible for you hosing your system in any way. I'm willing to go turncoat on the coffee, though.
Posted by drunkenbatmanJanuary 27, 2005, at 08:37 AM
Comments (6)
Posted by: Ben Donley at January 27, 2005 12:49 PM
Won't this get re-broken if you repair permissions? Seems like something like this would be in the packages.
Posted by: Kevin Ballard at January 27, 2005 02:13 PM
Ben - quite possibly. So don't repair permissions until this bug gets fixed ;)
Posted by: Kevin Ballard at January 27, 2005 02:13 PM
An alternate fix would probably be to just delete the Symbian Conduit, assuming, of course, that you don't have a Symbian phone you need to sync to
Posted by: Mod Sausage at March 23, 2005 05:33 PM
Amazingly this still isn't fixed in OS X as of March 23rd. How long do we have to wait until Apple fixes it?
I know its only a local exploit but well still you do run a lot of code on a computer if you download software and install it from time to time.
How long until one of them is by unscrupulous people?
Posted by: jlb at March 31, 2005 04:34 PM
On my box, mRouter an mRouterJaguar has been updated on feb, 28. According to the Receipts, it corresponds to the 10.3.8 update.
Are you sure the buffer overflow has not been fixed by 10.3.8 ?
This is the type of thing someone exploits to completely own your box once they've gotten onto your system another way.
0wn
;)