Problem: Internet Connect allows any file on the file
system to be altered.
Status: 0day! - Temporary Fix Included.
Description:
Apples Internet Connect application creates a
'ppp.log' file in '/tmp/'. If the file already
exists it is opened in append mode. If it does
not exist a new file is created.
It is possible to trick Internet Connect into
appending data to any file on the filesystem by
creating a symlink file '/tmp/ppp.log' pointing
to the file to be altered.
If the file '/tmp/ppp.log' already exists the
attack is not possible as the file is owned by
user 'root' and group 'wheel': -
However due to the Operating System clearing the
'/tmp' directory during system startup and also on
a regular basis due to system maintenance it
becomes possible to form the attack as shown below:
First a file is created to represent a system file
owned and only writable by user 'root'.
A symlink is now created in the '/tmp' directory to
point to the file to be altered. It is important to
realise that the link can be created as a none 'admin'
or 'root' user.
maki:/tmp $ id
uid=502(br00t) gid=502(br00t) groups=502(br00t)
Now Internet Connect is opened. Under 'configuration'
choose 'Other'. Enter some text into the 'Telephone
Number' box (B-r00t r0x y3r w0rld!) and click 'Connect'.
'Cancel' can be clicked several seconds later.
Checking the original file '/etc/file_owned_by_root'
we see the following: -
maki:~ $ cat /etc/file_owned_by_root
TEST
Sun Jul 25 00:20:42 2004 : Version 2.0
Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld!
Sun Jul 25 00:20:54 2004 : Terminating on signal 15.
Sun Jul 25 00:20:58 2004 : Serial link disconnected.
As can be seen data has been appended to the 'protected' file.
Impact: It is possible for a local user to escalate their
privileges by appending data to specific system files.
In addition a malicious user may be able to render the
machine unusable by corrupting important system files.
...snip...
FIX: The following commands serve to provide a temporary fix until
Apple release an official update.
Open a terminal: /Applications/Utilities/Terminal.app
Gain root access using 'sudo':
maki:~ $ sudo sh
Password:[YOUR PASSWORD]
maki:~ # whoami
root
DQN社員・幕張BOY(あ、オイラも・・・。)の愛読書・科学雑誌「NATURE」に、
「National Institute for Standards and Technologies(NIST)の
科学者らによると、テレポーテーション--つまり、物理的な運動を
全くともなわずに、原子、あるいは少なくともその特性を別の場所に
『転送』すること-は可能だ」という論文が掲載された。
また、その「論文で、ベリリウム原子1個の量子状態(一連のアクティブな
特性)を、別のベリリウム原子に転送することに成功した」と発表した。
