Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Local root exploit on Mac OS X with Adobe Version Cue
From: Chet Ramey <chet () caleb ins cwru edu>
Date: Tue, 7 Dec 2004 14:05:14 -0500

Local root exploit on Mac OS X 10.3.6 with Adobe products installed
Found by Jonathan Bringhurst <fintler () gmail com NOSPAM>


It's possible to create a suid root shell with a non-privileged user
on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe
Version Cue is installed by default with virtually every recent Adobe
product. This most likely affects many versions of Mac OS X and Adobe
Version Cue.


Scripts to start and stop Adobe Version Cue are suid root and do not
make any checks to see if they are running from the correct path. By
setting the current path to a controlled directory and creating
scripts with specific names, a user can have a custom script run euid

This is the result of an Apple-introduced problem in bash-2.05b.  Bash,
as distributed, gives up setuid privileges when invoked without the -p
option, if the kernel allows setuid scripts to run.  Apple changed bash
to keep setuid if bash is invoked as `sh'.

You can solve this particular problem by removing the setuid bit from
the scripts and tightening up path checking, but it's going to be a
potential problem until Apple reconsiders their permitting setuid scripts.


``The lyf so short, the craft so long to lerne.'' - Chaucer
( ``Discere est Dolere'' -- chet )
Chet Ramey, ITS, CWRU    chet () po cwru edu    http://tiswww.tis.cwru.edu/~chet/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]