- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Apple Mac OS X Mach Port Inheritance Privilege Escalation Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://developer.apple.com/documentation/Darwin/Conceptual/KernelProgramming/boundaries/chapter_14_section_4.html> Mach ports are used to provide inter-process communication (IPC) facilities on Mac OS X.
Local exploitation of an access validation vulnerability in Apple Inc.'s
Mac OS X could allow an attacker to execute arbitrary code with root
privileges.
DETAILS
Vulnerable Systems:
* Mac OS X version 10.4.10, both Server and Workstation.
* (Previous versions may also be affected.)
When executing a setuid-root binary, the Mach kernel does not reset the
current thread Mach port, or the current thread Mach Exception Port. By
first creating and obtaining write access to a Mach port, and then
executing a set-uid root binary, an attacker can write arbitrary data into
the address space of the process running as root. This leads to arbitrary
code execution in the privileged process.
Successful exploitation of this vulnerability results in the execution of
arbitrary code with root privileges. All an attacker needs is a
setuid-root binary and permission to execute it. In a default install,
there are numerous binaries that meet these requirements.
Vendor Status:
Apple addressed this vulnerability within their Mac OS X 2007-008 security
update.
<http://docs.info.apple.com/article.html?artnum=307041>
http://docs.info.apple.com/article.html?artnum=307041
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3749>
CVE-2007-3749
Disclosure Timeline:
* 09/07/2007 - Initial vendor notification
* 09/10/2007 - Initial vendor response
* 11/14/2007 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=630
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment