21 August 2006, 20:10

Insecure Déj� Vu event under Mac OS X

Even Mac users are not spared the consequences of sloppy programming. The Déj� Vu backup software from Propaganda Productions, a slimmed down version of which is included with the popular CD burning software Roxio Toast Titanium, is one example of this. As has been discovered by the Netragard Vulnerability Research Team, malicious software can exploit this to gain complete control over a computer, even when running in an account with restricted privileges.

During operations such as manual back up of data, Déj� Vu calls, via external modules which are included in the package, command line functions such as rm, mv and chmod using the Unix system function. However, it does not give the full path, e.g. /bin/rm, but just the command name, leaving the system to complete the command path using the contents of the path environment variable. If an attacker manipulates the content of the PATH environment variable by adding a folder with malicious software with the name rm, mv or chmod, Déj� Vu will unwittingly call this.

But it gets worse. Since Déj� 's external modules, as a result of the setuid bit setting, work with the privileges of their owner, the super user root, the commands called by the program are also executed with this level of privilege - they can thus cause unrestricted damage to the system. Conferring high levels of privilege on programs using the setuid bit is not in itself unusual. This strategy is however, only used when a user with restricted rights needs to carry out actions which require higher privileges. That this approach may present a security risk has been recognised for some time.

The attack works regardless of the group to which the active user belongs - regardless of whether the user has administrator privileges for his Mac or is a user with restricted privileges. Netragard states that it has informed the manufacturer, however, as yet there is no patch available.