Month of Apple Bugs reveals utility exploit

Stephen Withers
Tuesday, 16 January 2007 08:21

Your IT - Home IT

Today's Month of Apple Bugs disclosure appears to be the most serious so far.

The problem is that various programs in the /Applications folder run as root, yet users in the admin group have sufficient privileges to overwrite them. If that happens, the next time someone - including the malicious user that replaced the file(s) - repairs permissions, the ownership and permissions will be reset to the original state and so the bogus program will run as root.

(Note that we are talking about executable binaries contained within the application bundles, not the entire applications.)

Admin users require write access to the /Applications folder in order to install or update software, but this combination of circumstances (akin to the Application Enhancer vulnerability previously disclosed by MoAB) opens the possibilities for a serious exploit - especially as repairing permissions is a commonly used troubleshooting step.

Once a malicious user or a piece of malware has been able to overwrite one executable that runs as root and then permissions are repaired, the system is compromised as soon as any user runs that program.

LMH describes a scheme whereby a virus-like program could add some code to affected binaries that would be executed before the 'real' program. Since that code runs as root - as does the real program - it can do essentially anything.

A proof of concept is under development by LMH and Gil Dabah, who "intend to release it first to AV companies, before public distribution."

Such code could presumably be used by malicious individuals that have physical access to a system. Those seeking a remote attack would either need to trick users into running a program (ie, a Trojan Horse) or to combine it with a different vulnerability that allows the remote execution of arbitrary code.

MoAB suggests as a workaround the removal of the setuid bit from the DiskManagementTool binary used to repair permissions.