In association with heise online

07 January 2007, 13:29

Month of Apple Bugs: Local root exploit already being actively exploited

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The activists behind the Month of Apple Bugs have presented Apple bug number five: a zero day exploit that is already being used to gain root user rights. It is based on a flaw in Apple's Disk Management Framework. Among other things, its repair mechanism can be used to change incorrect file rights -- or to grant higher rights. The only thing that a malicious program has to do is create an appropriate Bill of Materials (BOM) and launch a repair. Then, you can overwrite any files you want and set the rights you desire.

To exploit the flaw, you have to be able to overwrite BOMs in /Library/Receipts/. The user account created during installation has this right because it is a member of the admin group; most Mac users work with this account. One of the demo exploits provided sets a set UID flag for the shell program belonging to the root, so that the user can work directly as the root once it has been launched, without having to enter a password.

The previous MOAB polls have only allowed attackers to execute code with the rights of a common user. That is bad enough; after all, it allows for files to be read, deleted, and manipulated, back doors to be installed, and local users spied on. However, history shows that "local privilege escalation" flaws have repeatedly been found on all operating systems. They allow an attacker or a malicious program to get administrative rights so they can, for example, embed themselves deeply in the system.

The MOAB activists say that the hole they have just published is such a flaw that affects Mac OS X (i86 and PPC) and is already being actively exploited. They do not reveal how long the flaw has been exploited; rather, at the end of their security advisory they only analyse the demo program provided to them by a third party. The MOAB team recommends the temporary workaround of using the command sudo chmod -s /System/Library/PrivateFrameworks/DiskManagement.framework/Resources/DiskManagementTool to remove the tool's setUID flag. +s can then be used to restore the flag once a patch has been installed. The MOAB Fix Group is, however, already discussing other remedies that would not limit repair functions.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit