Sunday, May 27, 2007

[NEWS] Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Apple Computer Mac OS X pppd Plugin Loading Privilege Escalation
Vulnerability
------------------------------------------------------------------------


SUMMARY

Apple Mac OS X
<http://developer.apple.com/documentation/Darwin/Reference/Manpages/man8/pppd.8.html> pppd is "a setuid root application that is used to establish and configure connections for point to point links. It is commonly used for configuring traditional dial-up modem and DSL connections".

Local exploitation of a privilege escalation vulnerability in Apple
Computer Inc.'s Mac OS X pppd could allow an attacker to gain root
privileges.

DETAILS

Vulnerable Systems:
* pppd in version 10.4.8 of Mac OS X.
* Other versions may also be affected.

The vulnerability exists due to insufficient access validation when
processing the "plugin" command line option. The application does not
properly verify that the requesting user has root privileges and allows
any user to load plug-ins.

When checking to see if the executing user has root privileges, a check is
made to see if the stdin file descriptor is owned by root. Passing this
check is trivial and allows the attacker to load arbitrary plug-ins
resulting in arbitrary code execution with root privileges.

Exploitation is trivial and grants root access.

This vulnerability cannot be triggered remotely; an attacker needs local
access to the victim's system in order to exploit this vulnerability. pppd
is installed by default.

Workaround:
Remove the setuid bit from the pppd binary. This will prevent users
without root privileges from being able to properly use the program.

Vendor Status:
Apple Inc has addressed this vulnerability in Apple Security Update
2007-005. More information can be found from Apple's Security Update page
or the Security Update 2007-005 advisory page at the respective URLs
below.
<http://docs.info.apple.com/article.html?artnum=61798>

http://docs.info.apple.com/article.html?artnum=61798

<http://docs.info.apple.com/article.html?artnum=305530>

http://docs.info.apple.com/article.html?artnum=305530

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0752>
CVE-2007-0752

Disclosure Timeline:
* 01/08/2007 - Initial vendor notification
* 01/09/2007 - Initial vendor response
* 05/24/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=537

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment