Below is the copy of the email I sent to Apple a week ago (I have dropped them a copy of the mail on their feedback web page, too.) Since I haven't heard of them since, I have chosen to make the security issue available to the community. Below the copy of the mail is a short discussion of the problem. -- Begin mail -- Date: Fri, 6 Sep 2002 02:53:27 +0200 From: Christopher Allene <cwisat_private> To: bugreportat_private There is a severe security issue with Mac OS X 10.2 Jaguar, which allows any user of the system to navigate through the entire filesystem, and possibly overwrite any file. The security issue lies within the "NetInfo Manager" application, which is setuid root. Whenever an user runs this application, the entire appliation is running as root. Therefore, if the user runs "NetInfo Manager" and chooses to print the window content by choosing "Domain: Print", the Print dialog is running as root? By choosing to "Save as PDF", the associated file manager window is itself running as root, thus allowing the user to navigate all files on the connected hard disks. Moreover, by creating a filesystem link to any file of the filesystem, calling the link "dummy.pdf", and then saving the PDF over this link, the user is then allowed to overwrite the contents of any file of the filesystem, including system files or files owned by other users on the system. Although this security hole cannot be used to gain priviledged status with a clean install of Jaguar, it might be possible for a malicious user to install a custom Print Driver of his choosing, which could, for exemple, run a copy of Terminal.app as root, thus allowing the attacker to gain root access. A similar security issue has already been discovered a few month ago, where running "NetInfo Manager" allowed any user to become root while choosing a program from the Apple menu. Setuid applications have severe security implications, this should not been forgotten. Also, note that from all the programs shipped with Jaguar which are setuid root, NetInfo Manager is the only program which does not "drop priviledges". I am hoping that a security fix will be available as soon as possible. For the good of the community, I am not going to divulge this security issue for a reasonable period of time or until you provide a fix or publish a technical note about it, whichever comes first. Do not hesitate to contact me should you need more information about this problem, Regards, Christopher Allene -- End mail -- I find it pathetic that Apple hasn't learnt enough from the past. We all remind of the "Apple menu" security problem, where running an application program setuid root, and then opening a program from the "Recent Items" submenu of the Apple menu, made that application program run as root. Instead of fixing the problem, they made a workaround around the symtom by dropping priviledges before running a program from the Apple menu. I did a quick search on the other setuid programs installed with Mac OS X, all the other programs drops priviledges whenever possible, and such are immune to this kind of attacks. What's really weird about this issue is that Net Info Manager asks for an administrator password whenever changing Net Info hives, despite the fact it is _already_ running as root. The API it uses for asking the password already jumps priviledges, so I wondered why the setuid. Thus, I removed it, and the "Enable/Disable root password" feature stopped functionning, but the other features continued to function very well. Also, I haven't had enough confidence with Mac OS X development to look for a way to use this security hole to become root. A possible path could be to develop a custom Print driver which runs Terminal.app. If there is a way to load a Print driver from the user's Library folder, you would gain root on the system. In the meantime, this security issue could be used to make the system unusable, for example by overwritting the Finder application program with a PDF file. Until Apple fixes the bug, I recommend anyone running Mac OS X with a multiuser environment to drop the setuid bit on the NetInfo Manager program. Hoping that Apple will fix this problem as soon as possible, like they seemed to do in the past, -- Christopher Allène
This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 12:35:44 PDT