SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Apple Remote Desktop Vendors:  Apple Computer
Apple Remote Desktop Client Lets Local Users Run Applications With Root Privileges
SecurityTracker Alert ID:  1011970
SecurityTracker URL:  http://securitytracker.com/id?1011970
CVE Reference:  CAN-2004-0962   (Links to External Site)
Date:  Oct 27 2004
Impact:  Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.2.4
Description:  A vulnerability was reported in Apple Remote Desktop Client. A local user can start applications with root privileges.

The vendor reported that when Fast User Switching is enabled, a local user can run arbitrary applications behind the loginwindow with root privileges.

It is reported that an Apple Remote Desktop Administrator application on another system can be used to start a graphical user interface (GUI) application on the client to cause the GUI application to execute with root level privileges behind the loginwindow.

Systems prior to Mac OS X v10.3 are not affected.

The vendor credits Andrew Nakhla and Secunia Research with reporting this flaw.
Impact:  A local user can start applications with root privileges to gain root level access on the target system.
Solution:  Apple has released a fix as part of Security Update 2004-10-27, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site:

http://www.apple.com/support/downloads/

The download file is named: "SecurityUpdate2004-10-27.dmg"
Its SHA-1 digest is: 6f74180d4144affd3630e8824bff778ac39655e7

A fix is also available in Apple Remote Desktop version 2.1.
Vendor URL:  www.apple.com/support/security/security_updates.html (Links to External Site)
Cause:  Access control error, State error
Underlying OS:  UNIX (OS X)
Underlying OS Comments:  10.3 and later
Reported By:  Apple Product Security <product-security@apple.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 27 Oct 2004 13:18:44 -0700
From:  Apple Product Security <product-security@apple.com>
Subject:  APPLE-SA-2004-10-27 Security Update 2004-10-27

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2004-10-27 Security Update 2004-10-27

Security Update 2004-10-27 is now available and delivers the
following security enhancement for Apple Remote Desktop Client:

CVE-ID:  CAN-2004-0962
Available for:  Apple Remote Desktop Client v1.2.4 with Mac OS X
v10.3.x
Impact:  An application can be started behind the loginwindow and it
will run as root
Description:  For a system with the following pre-conditions:
*  Apple Remote Desktop client installed
*  A user on the client system has been enabled with the "Open and
quit applications" privilege
*  The username and password of the ARD user is known
*  Fast User Switching has been enabled
*  A user is logged in, and loginwindow is active via Fast User
Switching

If the Apple Remote Desktop Administrator application on another
system is used to start a GUI application on the client, then the GUI
application will run as root behind the loginwindow.  This update
prevents Apple Remote Desktop from launching applications when the
loginwindow is active.

This security enhancement is also present in Apple Remote Desktop
v2.1.

This issue does not affect systems prior to Mac OS X v10.3.  Credit
to Andrew Nakhla and Secunia Research for reporting this issue.

Security Update 2004-10-27 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

The download file is named: "SecurityUpdate2004-10-27.dmg"
Its SHA-1 digest is:  6f74180d4144affd3630e8824bff778ac39655e7

Information will also be posted to the Apple Product Security
web site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBQX//jZyw5owIz4TQAQKitwf+IQ3dtQquGBWVPAew/3+CYHmL121zldZ9
2qlMn4zk66/hu9ecTHi0JLjI6sYS2jcYlIt5lxdHXAm1yt6LVdsgfCwLXu0ZnrgL
ygoPtr39KDX0YFPomkQVz2ZGptJs4zFsfnLUfi61pegLvicMKy+Zc1Cpzdba+rL5
39ZsZFMnWn6XJqwhJs3zlcXhkH3ggPmG7r6bWLmiRGY6EUaMRFyyCfphoTcSZSiC
81tDpryCJk2X/Ncv4g8tXlDqzjpJMRSslM9a1WFGXx+6Vd7FUz4UfC7ATYggodBU
QvYHKEkVQSH9efMDHJBk6F50WQpLvPoTA1fW3RLl54eEQlileuBgoA==
=2G/h
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/gst%40securitytracker.com

This email sent to ***********************


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC