[CS-FSLUG] Mac OS X Multiple Vulnerabilities
Fred A. Miller
fmiller at lightlink.com
Thu Jan 20 12:32:33 CST 2005
Mac OS X Multiple Vulnerabilities
CRITICAL:
Less critical
IMPACT:
Exposure of sensitive information, Privilege escalation, DoS
WHERE: Local system
OPERATING SYSTEM:
Apple Macintosh OS X
http://secunia.com/product/96/
DESCRIPTION:
Multiple vulnerabilities have been reported in Mac OS X, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service), disclose sensitive information, or gain escalated
privileges.
1) An integer overflow in the "searchfs()" system call when handling
the sizeofsearchparams1 and sizeofsearchparams2 variables in a
fssearchblock structure can be exploited to cause a buffer overflow.
Successful exploitation may allow execution of arbitrary code with
escalated privileges.
The vulnerability has been reported in Mac OS X 10.3.4 as of 22nd
June 2004 (Darwin kernel xnu-517.7.7). Other versions may also be
affected.
Reportedly, several older NetBSD vulnerabilities including a
signedness error in the "semop()" system call still affect Mac OS X
(see other references for more information).
2) An error in the "at" setuid root utility can be exploited to
disclose the contents of arbitrary files by specifying them as job
file to the "-f" command line option and then reading the created
job.
The vulnerability has been reported in Mac OS X 10.3.4 (Darwin kernel
xnu-517.7.7) and has been confirmed in Mac OS X 10.3.7 (Darwin kernel
xnu-517.9.5). Other versions may also be affected.
3) Signedness errors in the "parse_machfile()" function within the
Mach-O loader can be exploited to crash the system via a specially
crafted Mach-O header.
The vulnerability has been reported in Mac OS X 10.3.7 and prior.
SOLUTION:
Grant only trusted users access to affected systems.
PROVIDED AND/OR DISCOVERED BY:
1, 2) Immunity
3) nemo, felinemenace.org.
ORIGINAL ADVISORY:
Immunity:
http://www.immunitysec.com/downloads/nukido.pdf
felinemenace.org:
http://www.felinemenace.org/advisories/macosx.txt
OTHER REFERENCES:
Old NetBSD advisory:
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2001-015.txt.asc
--
The only bug free software from MickySoft is still shrink-wrapped
in their warehouse..."
More information about the Christiansource
mailing list