> Local root exploit on Mac OS X 10.3.6 with Adobe products installed > Found by Jonathan Bringhurst <fintler@xxxxxxxxxxxxxxxx> > > Summary: > > It's possible to create a suid root shell with a non-privileged user > on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe > Version Cue is installed by default with virtually every recent Adobe > product. This most likely affects many versions of Mac OS X and Adobe > Version Cue. > > Details: > > Scripts to start and stop Adobe Version Cue are suid root and do not > make any checks to see if they are running from the correct path. By > setting the current path to a controlled directory and creating > scripts with specific names, a user can have a custom script run euid > root. This is the result of an Apple-introduced problem in bash-2.05b. Bash, as distributed, gives up setuid privileges when invoked without the -p option, if the kernel allows setuid scripts to run. Apple changed bash to keep setuid if bash is invoked as `sh'. You can solve this particular problem by removing the setuid bit from the scripts and tightening up path checking, but it's going to be a potential problem until Apple reconsiders their permitting setuid scripts. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ( ``Discere est Dolere'' -- chet ) Live...Laugh...Love Chet Ramey, ITS, CWRU chet@xxxxxxxxxxx http://tiswww.tis.cwru.edu/~chet/
