(Apple Issues Fix for OS X 10.2) Service Location Protocol Daemon (slpd) Temporary File Flaw May Let Local Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1008254
|
|
CVE Reference: CAN-2003-0878
(Links to External Site)
|
Date: Nov 20 2003
|
Impact: Modification of system information, Modification of user information, Root access via local system, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): Mac OS X 10.2 and prior versions
|
Description: A vulnerability was reported in the Mac OS X Service Location Protocol responder (slpd). A local user may be able to gain elevated privileges on the system.
It is reported that when Personal File Sharing is enabled on Mac OS X, a local user can exploit a temporary file vulnerability.
A local user can create a symbolic link (symlink) from a critical file on the system to a file that slpd will create in the '/tmp'
directory. Then, when slpd creates the temporary file, the symlinked file will be written to with root level privileges. A local
user may be able to cause slpd to modify a file to grant the user root level access on the system.
The report notes that Personal
File Sharing is turned off by default.
The vendor credits @stake with reporting the flaw.
|
Impact: A local user may be able to modify files with root privileges to gain root access on the system.
|
Solution: Apple has released a fix as part of Security Update 2003-11-19 for Mac OS X 10.2.8, available at:
* Software Update pane in
System Preferences
* Apple's Software Downloads web site:
Security update 2003-11-19 for Jaguar 10.2.8
http://www.info.apple.com/kbnum/n120277
The download file is named: "SecurityUpd2003-11-19Jag.dmg"
Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b
|
Vendor URL: www.apple.com/macosx/ (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: UNIX (Mac OS X)
|
OS Comments: 10.2 and prior versions
|
Reported By: Product Security <product-security@apple.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 19 Nov 2003 17:40:26 -0800
From: Product Security <product-security@apple.com>
Subject: APPLE-SA-2003-11-19 Security Update 2003-11-19
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2003-11-19 Security Update 2003-11-19
Security Update 2003-11-19 is now available for Mac OS X 10.2.8 and
Mac OS X 10.3.
It is Apple's policy to quickly address significant vulnerabilities in
past releases of Mac OS X wherever feasible. Security Update
2003-11-19 includes updates to several components of Mac OS X v10.2
"Jaguar" that meet this criteria.
Updates for Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8
=================================================================
gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventive measure against a possible future exploit.
groff: Fixes VU#399883 where the groff component pic contained a
format-string vulnerability.
Mail: Fixes CAN-2003-0881 the Mac OS X Mail application will no longer
fall back to plain text login when an account is configured to use MD5
Challenge Response.
OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.
Personal File Sharing: Fixes CAN-2003-0878 when Personal File Sharing
is enabled, the slpd daemon can no longer create a root-owned file in
the /tmp directory to gain elevated privileges.
QuickTime for Java: Fixes CAN-2003-0871 a potential vulnerability that
could allow unauthorized access to a system.
zlib: Addresses CAN-2003-0107. While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.
Updates for Mac OS X v10.3.1 "Panther" and Mac OS X Server v10.3.1
==================================================================
OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.
zlib: Addresses CAN-2003-0107. While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.
================================================
Security Update 2003-11-19 may be obtained from:
* Software Update pane in System Preferences
* Apple's Software Downloads web site:
Security update 2003-11-19 for Jaguar 10.2.8
http://www.info.apple.com/kbnum/n120277
The download file is named: "SecurityUpd2003-11-19Jag.dmg"
Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b
Security Update 2003-11-19 for Panther 10.3.1
http://www.info.apple.com/kbnum/n120278
The download file is named: "SecurityUpd2003-11-19.dmg"
Its SHA-1 digest is: 0cfb4c9048859a2e8a60424400e081da5ff84b80
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html
This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
iQEVAwUBP7wbJ3eI0z6bzFr0AQLqBgf/VosadrRIxai1AJe4th5MfYPOSxz5aJBM
aMcuIdXhGLK01/Zynr//DSNSwJ1gPZefMQtFrvaF5BJvUS8hmWOu9PyCZbEo8hiX
YJc14ON7/edXEA0JDB9BuB6Hbaflh+DgW2FIp8pjDScvudtFheMWFPQDMhBR3Az3
B6y6lIe9olZ+wUsML9ireLzKfhBFZGF7c/kYIoSS4X5WlmQ19F30RdBbJI/b8Sn2
nIBgBM9YtgkuMVSoqhPgBPIrQLQ0Qa8NVPY9NpBjFHnDgpUjiqCtYYL97TATOiMi
khl84JnBdIOk8j/S8z1zTSPwMG1v7LJPxdzhMRC3UhdiKOHDPTrofg==
=DdeD
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.
|
|
