2008-09-17 09:30:00

MacOS 10 security update: cracked up, again

A number of very bizarre Apple specific vulnerabilities was discovered in MacOS 10 and cleaned up in the latest update 2008-003. Apart from some rather old vulnerabilities (well, at least from this year and not from 2005 this time), there were also a number of goodies which only turned up on Apple MacOS systems:

  • Overlong PostScript font names(!) overflow the heap and can lead to arbitrary code execution. Quite a classic one might say.
  • libresolv is updated to the post-CVE-2008-1447 version (see also the analysis). Ok. But the update is not declared as a DNS cache poisoning fix but rather as a performance problem?!
  • By entering LDAP search expressions into the user name field, LDAP users can be enumerated if the MacOS authenticates against Active Directory.
  • Cached credentials are not always flushed when a vnode is recycled. This means that it is not guaranteed that file permissions are actually applied! In fact, it is possible that a file is accessed with the permissions which had been granted on an entirely different file, resulting in loss of permissions or even privilege escalation.
  • A race condition in the login window can be abused to log in as any user without a password. If an account exists on the system which does not have a password, one just needs to log in as that user and log back out and then try to log in as a different user. If the race condition is triggered, then the login will succeed without any password.
  • If an user resets his password using the login window, the old password field is not cleared afterwards. This means that a malicious user can go to the unattended computer where the password was changed and change it again to some password he knows and then log in as the user. (However, it might just be easier to log in with no password.)
  • OpenLDAP is configured to have slapconfig store its password into a world readable file. Apple has quite a history on world readable and writable files, but some people never learn.
  • The PPP passwords are stored in an unencrypted, world-readable file. Well, see above for Apple and world-readable files.
  • Time Machine also stores log files from the backup with world readable permissions.
  • Remote access passwords are truncated to 8 characters. Uhm well. We had that problem as well but fixed it in the early 90s.
  • The Wiki Server mail archive stores mails unsanitized and thus permits cross site scripting. The other Open Source mailing list archives had that too but were fixed roughly 10 years ago.
  • The file permissions are slightly misrepresented with respect to remote access. However, instead of ensuring that remote access permissions are applied as intended, Apple added a note stating that this is not the case.

Have a nice MacOS 10.5 and enjoy the future bugs!


Posted by Tonnerre Lombard | Permanent link | File under: security, programming