But it's only a local root exploit
About 100 posts ago (2 months-ish), I posted about a local iSync vulnerability, and tried to give a reasonable explanation of what was going on as well as how to fix it until Apple released their own fix. I'm getting emailed about it because of a really fun usenet thread in comp.sys.mac.system, among other places (which are more amusing), that is linking to my post on it.
My original post gives all the info regarding the vuln, but suffice to say this isn't something that can harm you from someone acting remotely, but locally it's the real deal for escalating one's privileges and 0wning a box. 'Local' can also mean a lot of things:
- Someone sitting at a computer and but 'locked out' of other users, and other aspects of the system, can use it to do bad things.
- Someone in a remote location, but given an account on the system/server can use it to break out of their user-space and into everyones, among other things. This isn't as uncommon as you'd think, think about where your website is and how you access it.
- This is exactly the type of exploit a piece of malware loves to exploit to get access to the whole machine. Think of your kid downloading something bad off of P2P while in their account, and the malware author now has access to the spreadsheets in your account.
A remote-root is even more serious, and is the type of thing that allows someone to get in even though they've been granted no access whatsoever. This one is about someone being given access and using that foot in the door to totally take control. It's still a very serious thing, and is not harmless.
It is local, so it's not the end of the world, although I don't know if I'd be saying that if I was using a different platform. Not fixing something serious quickly because there theoretically aren't that many people looking to abuse it is basically a roll of the dice.
Now of course Apple is going to fix this eventually, they'd be stupid as hell not to, but two months is a pretty long time for a local root exploit to go unpatched, and it's good that there's little malware in existence for OS X.
Unfortunately for those emailing me, while we can guess about what's going on to hold things up (Are there multiple vulns in this class? Is it a deeper-rooted problem? Will the fix screw something up that has to be coded around? Are they being restricted by their scheduled releases for patches?), it's not the kind of thing we'll ever have an answer to.
Only Apple would, and they're pretty opaque about this kind of thing.
Posted by drunkenbatmanMarch 24, 2005, at 06:33 AM
Comments (7)
Posted by: Nabil at March 24, 2005 02:04 PM
What gets me is that the latest security update (http://docs.info.apple.com/article.html?artnum=301061) fixed other security holes involving "user privilege escalation", but didn't bother with this one.
Dunno why, maybe one of the other fixes will fix this in the process, or the patch wasn't ready, or something. I kinda wish they'd publish their bug tracker like Mozilla does... that way we could see the status of it.
Posted by: Paul Oswald at March 24, 2005 02:06 PM
Apple's behavior concerning security scares the hell out of me. While they dont really push it much more than claiming Unix as a more stable foundation (than what? OS 9 or Win XP?) their users are basking in security through obscurity. This could be blown away so quickly that Apple had better have a plan ready to go.
Furthermore, users are being desensitized to giving out their passwords. Probably 25% of all application installers I try ask for a password. Users type their password into those boxes without even giving it a second thought.
There are so many ways to spread malware that I'm actually a little surprised a virus/worm hasn't been spread. It seems that with all of the automation available in AppleScript (even more in tiger) and only a spam filter to protect most macs, a user triggered (click here for PaRiS PhoToz.jpg.bin!) email would travel fast.
The only explination I have is that there's still not enough plutonium to go critical.
Posted by: jdb at March 24, 2005 07:12 PM
There is also an mRouterJaguar in that directory which is also SUID. I'm assuming it has the same buffer overflow problem. You might want to edit your fix and mention it as well.
Jim Bailey
Posted by: jdb at March 24, 2005 07:20 PM
Bah, I just tested mRouterJaguar and it doesn't work with the exploit code that was posted on comp.sys.mac.system. Sorry for the bad info.
Jim
Posted by: jlb at March 31, 2005 04:36 PM
On my box, mRouter an mRouterJaguar has been updated on feb, 28. According to the Receipts, it corresponds to the 10.3.8 update.
Are you sure the buffer overflow has not been fixed by 10.3.8 ?
Posted by: PS at March 31, 2005 05:42 PM
mRouter does not appear in the 10.3.8 update. Its modification date was probably changed by the pre-binding stage the follows a system update.
I would guess they are mainly focusing on Tiger right now, although the rumoured 10.3.9 update might include a fix for this.