January 19, 2005

NUKIDO: Various Local Vulnerabilities in Mac OS X 10.3.x

Filed under: Security

Several kernel level bounds checking vulnerabilities were found during an audit performed by Immunity team on the recent Darwin kernel xnu­517.7.7. These vulnerabilities are mostly in user to kernel memory copy operations and also allocation of kernel memory driven by user supplied size value(s).

Well, they also put the an interersting bug on at(1). Actually, i still wondering how someone can use the advantage of /etc/master.passwd in multi-user mode. The /etc/master.passwd is consulted when the system is running in single-user mode. At other times this information is handled by lookupd. By default, lookupd gets information from NetInfo, so this file will not be consulted unless someone have changed lookupd’s configuration.

BTW, Mac OS X 10.3.7 is still using buggy version of sudo. Last week I received a mail reply from Apple Product Security Team, they said my information has been passed along to their engineering team for further analysis.

4 Comments »

The URI to TrackBack this entry is: http://negative.blogsome.com/2005/01/19/nukido/trackback/

  1. macsux!!!
    btw sepi amat dari komen, gak ada yg ngebahas roy suryo sih. coba kalo ada… kan bisa ber-hi-roy-ria

    Comment by amen — January 22, 2005 @ 6:40 pm

  2. as a bug reporter what was your experience with apple… I am looking for something to compare mine to. kf_lists[at]digitalmunition[dot]com
    -KF

    Comment by KF — January 27, 2005 @ 3:37 am

  3. /etc/master.passwd

    Last login: Thu Jan 27 15:32:30 on ttyp2
    Welcome to Darwin!
    G4x:~ agd$ cd /etc
    G4x:/etc agd$ sudo vi master.passwd
    Password:

    ##
    # User Database
    #
    # Note that this file is consulted when the system is running in single-user
    # mode. At other times this information is handled by lookupd. By default,
    # lookupd gets information from NetInfo, so this file will not be consulted
    # unless you have changed lookupd’s configuration.
    ##
    nobody:*:-2:-2::0:0:Unprivileged User:/var/empty:/usr/bin/false
    root:*:0:0::0:0:System Administrator:/var/root:/bin/sh
    daemon:*:1:1::0:0:System Services:/var/root:/usr/bin/false
    :
    .
    cyrus:*:77:6::0:0:Cyrus User:/var/imap:/usr/bin/false
    mailman:*:78:78::0:0:Mailman user:/var/empty:/usr/bin/false
    appserver:*:79:79::0:0:Application Server:/var/empty:/usr/bin/false
    “master.passwd” 23L, 1259C

    whats wrong?!

    Comment by AgD — January 27, 2005 @ 8:34 am

  4. AgD, if you read carefully on NUKIDO advisory, the exploitation of at will give you the content of master.passwd file. But, did you understand^Wread master.passwd header file? Hope you get the idea.

    Comment by anonymous — January 27, 2005 @ 9:12 am

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>


who links here | Get free blog up and running in minutes with Blogsome | Theme designs available here| login