Matasano Advisory: MacOS X Mach Exception Server Privilege Escalation

2006.10.03
Credit: Dino Dai Zovi <ddz _at_ matasano.com>
Risk: High
Local: Yes
Remote: No
CVE: CVE-2006-4392
CWE: CWE-Other


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Matasano Security Advisory MacOS X Mach Exception Server Privilege Escalation Release Date: Fri Sep 29 2006 Affects: MacOS X 10.4 < 10.4.8, 10.3.*, OpenStep 4.2 Severity: High - Local root privilege escalation Credit: Dino Dai Zovi <ddz _at_ matasano.com> Vendor Status: MacOS X 10.4.8 fixes vulnerability Workarounds: None I. Synopsis MacOS X uses Mach exception ports to support the CrashReporter "Application Quit Unexpectedly" dialog, Problem Report dialog, process debugging, and crash dumps logs. On vulnerable operating systems, attackers can exploit the inheritance of Mach exception ports to inject code into SUID processes, allowing nonprivileged users to assume root privileges. II. Description A number of Mach-based Unix operating systems (including MacOS X and OpenStep) allow SUID executables to inherit the parent processes' exception ports. When an exception notification is received, the parent calls the kernel exception server exc_server() to process the exception and call any of a set of defined callback functions. The catch_exception_raise() callback is given Mach port send rights to the Mach thread that generated the exception and the task containing the thread. These rights allow the parent to modify the thread's context and the task's address space. A parent process may exploit this by allocating memory in the child task's address space, copying in executable code, and causing a thread in the task to execute the injected code. Exploiting this vulnerability requires a SUID root executable that can forced to generate an exception. A number of common setuid root binaries like /usr/bin/at or /usr/bin/rlogin crash when executed with a NULL argv pointer, and this suffices to enable exploitation of this vulnerability. III. Target This vulnerability has been exploited on MacOS X 10.4 and 10.3 and verified to exist on OpenStep 4.2. It is assumed that releases of MacOS X prior to 10.3 are also vulnerable, as well as earlier releases of OpenStep and NeXTSTEP. IV. Impact Unprivileged attackers with local access can obtain root credentials. V. Vendor Response Apple has resolved this vulnerability as of MacOS X 10.4.8. VI. Workarounds As this vulnerability exists in the operating system kernel, there are no known workarounds. VII. Origin Dino Dai Zovi, Matasano Security ddz _at_ matasano.com http://www.matasano.com http://www.matasano.com/log For the more information and updates on this advisory, see the expanded version on our blog: http://www.matasano.com/log/530/matasano-advisory-macos-x-mach- exception-server-privilege-escalation/ or contact: advisories _at_ matasano.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top