Re: Mac OS X setuid root security hole

[Kee Hinckley <nazgul () somewhere com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 12:53 PM -0400 10/17/01, rotaiv wrote:
> I can't recall if I have seen this on BugTraq so forgive me if this 
> is an old issue.
>
> Try these steps on an OS X machine (not logged in as root)
>
>  - Open up the terminal application
>  - Quit the terminal application
>  - Open up NetInfo Manager (leave it in the foreground)
>  - Open up the Terminal application form the "Recent Items" list in 
> the Apple Menu.

You can slightly reduce the risk by going to Recent Items, clearing 
the list, and then editing (with your favorite text editor) 
~/Library/Preferences/com.apple.recentitems.plist.  Change the values 
for maxapp and macdoc to 0.  (The UI lets you change the values to a 
present list, but 0 isn't one of the options.)  That won't stop 
someone from going to the preferences and turning it back on again 
(you can't lock General preferences), but it at least means any 
bypass requires more time.

That said, Recent Items is not the sole problem.  The Services menu 
also launches applications with the permissions of the application 
that currently owns the menubar.  You can easily use this to bring up 
a text editor running as root.
- -- 

Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
nazgul () somewhere com (or ...!alice!nazgul for time travelers :-)

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Security 7.0.3

iQA/AwUBO8347SZsPfdw+r2CEQIp2wCg2RBJ10ER3EivFzQA/jO4GZAbfGAAn3Op
8P9ospS9RAkwhaCH93aFO1qQ
=fsSL
-----END PGP SIGNATURE-----