Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication bypass and root access on Apple Mac OS X
From: "Kevin Finisterre (lists)" <kf_lists () digitalmunition com>
Date: Mon, 26 Nov 2007 11:47:07 -0500

I don't recall off the top of my head what they were but there are  
other ways to use this program to obtain root. I believe the scheduled  
recording can be used to leverage root if I remember correctly.
-KF

On Nov 26, 2007, at 10:15 AM, David Wharton wrote:

Version 1.0
October 1996
                      CERT(R) Coordination Center
              Product Vulnerability Reporting Form

CONTACT INFORMATION
= 
= 
======================================================================
=======

 Name                 : David Wharton
 E-mail                       : security () davidwharton us
 Phone / fax          :
 Affiliation and address: Information Security Graduate Student at
Georgia Tech (http://www.cc.gatech.edu/education/grad/ms-infosec)


Have you reported this to the vendor?  [yes/no] yes

        If so, please let us know whom you've contacted:

      Date of your report     : 5 Apr 2007
      Vendor contact name     : Pedro Muniz
      Vendor contact phone    :
      Vendor contact e-mail   : techsupport () eskapelabs com (April 5, 2007),
pmuniz () hauppauge com (April 18, 2007, May 10, 2007)
      Vendor reference number :


POLICY INFO
= 
= 
======================================================================
=======
We encourage communication between vendors and their customers.  When
we forward a report to the vendor, we include the reporter's name and
contact information unless you let us know otherwise.

If you want this report to remain anonymous, please check here:

      ___ Do not release my identity to your vendor contact.


TECHNICAL INFO
= 
= 
======================================================================
=======
If there is a CERT Vulnerability tracking number please put it
here (otherwise leave blank): VU#______.


Please describe the vulnerability.
Summary:
MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication
bypass and root access on Apple Mac OS X.

Details:
MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR is the software that ships
with MyTV, a Personal Video Recorder (PVR) manufactured by Escape
Labs (http://www.eskapelabs.com/mytv.html).  MyTV.PVR is an external
hardware device that connects to a computer via USB.  The PVR
hardware can receive infrared signals and this is designed to support
input from a channel changer.  However, when a computer running MyTV/
x version 3.6.6 or 4.0.8 on Apple Mac OS X (I have confirmed this is
true for 10.4.9-10.4.11 but dot not know about other versions of OS
X) starts up, a local user can, without authenticating, cause the
MyTV/x software to launch as root.  When the program launches, it
brings up the MyTV/x menus along with the Apple menu.  From the Apple
menu, you can open up System Preferences and because you are running
as root, you can add (and remove) users, including Administrators.
After fooling around with it, I was able to get to the Finder, open a
shell, and verify that root access had been gained.

Steps To Reproduce:
1) Install MyTV/x Version 3.6.6 or 4.0.8 and attach (and power on)
MyTV.PVR.
2) (Re)boot.
3) When the authentication "window" comes up asking you to log in to
OS X, point the channel changer (this is included with MyTV.PVR) at
the PVR device and press the "Power" button.
4) MyTV/x launches (as root) and gives access to the Apple menu which
gives access to the entire computer.

What is the impact of this vulnerability?
- -----------------------------------------

   a) What is the specific impact:
      Local user can gain root access without doing any authentication
   b) How would you envision it being used in an attack scenario:
      Well, you have to have physical access and be running the vulnerable
software as well as its associated hardware but if the situation is
right, root access can be gained and then there are a myriad of
possibilities....

To your knowledge is the vulnerability currently being exploited?
- -----------------------------------------------------------------
      [yes/no] no

If there is an exploitation script available, please include it here.
-  
---------------------------------------------------------------------

Do you know what systems and/or configurations are vulnerable?
- --------------------------------------------------------------
      [yes/no]  (If yes, please list them below)
      
      yes
      
      System          : Apple Mac
      OS version      : 10.4.9, 10.4.11
      Verified/Guessed: verified 10.4.9, 10.4.10, 10.4.11, guessed 10.x

      Software: MyTV/x Version 3.6.6 (http://www.eskapelabs.com/files/CD-
MYPVR-V1.4.dmg.gz)
                MyTV/x Version 4.0.8

Are you aware of any workarounds and/or fixes for this vulnerability?
-  
---------------------------------------------------------------------
      [yes/no] (If you have a workaround or are aware of patches
            please include the information here.)
no


OTHER INFORMATION
= 
= 
======================================================================
===
Is there anything else you would like to tell us?

Some pictures of root access without authenticating are available
upon request.  I spoke with Apple about this vulnerability and they
said, "Mac OS X applications running as root are allowed to display
UI even when no user is logged in."  Apple encouraged me to continue
to work with CERT and Escape Labs on this issue.

- --------
CERT and CERT Coordination Center are registered in the U.S. Patent
and Trademark office.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault