SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Multimedia)  >   Macromedia Studio MX Vendors:   Macromedia
Macromedia Studio MX File Permission Setting Lets Local Users Modify a File to Gain Elevated Privileges
SecurityTracker Alert ID:  1009416
SecurityTracker URL:  http://securitytracker.com/id/1009416
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 12 2004
Impact:   Modification of system information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Macromedia MX 2004
Description:   A vulnerability was reported in Apple Mac OS X versions of the Macromedia installers (including Macromedia Studio MX) in the e-licensing client. A local user can obtain elevated privileges on the target system.

Macromedia reported that the software installs the 'AuthenticationService' file with permissions that allow local users to write to the file and also with set user id (setuid) privileges. The report indicates that if a user without administrative privileges modifies the file, the operating system will remove the setuid setting. However, a local user can reportedly modify the file and then cause a target user to execute the service directly (and not through a Macromedia product) to execute arbitrary code with the privileges of the target user.

According to the vendor, the current versions of all Macromedia products will detect that the file has been changed and refuse to execute the modified file.

The vendor credits Chris Irvine of Dark Horse Comics, Inc. with reporting this vulnerability.
Impact:   A local user can modify a file to contain arbitrary code and then cause a target user to execute the modified file, giving the local user elevated privileges on the system.
Solution:   The vendor has released a patch, available at:

http://www.macromedia.com/go/DMJL_AAAZ

As a workaround, a user with an admin account and password can manually change permissions on the file to resolve this problem. The vendor has provided the following instructions [quoted]:

"Activate a Terminal session and type in the following command.

sudo chmod 4775 "/Library/Application Support/Macrovision/AuthenticationService"

Enter your admin user password at the prompt and then the command will run and set the permissions on the file."
Vendor URL:  www.macromedia.com/software/mx2004/ (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:   UNIX (OS X)

Message History:   None.

 Source Message Contents
Date:  Fri, 12 Mar 2004 13:27:39 -0800 (PST)
Subject:  Security Patch Available for Installer "Privilege Escalation"



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Security Bulletin:  

Potential Security Risk with Macromedia E-Licensing Client 
Activation Code 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Summary: 

Macintosh versions of the Macromedia installers and 
e-licensing client install a service whose file permissions 
allow "other" users to write to the file. This may allow one 
local user to obtain the permissions of another local user 
(including an admin user). This leads to a threat typically 
classified as “Privilege Escalation.” 

This potential vulnerability affects only products installed 
on machines with multiple users. Further, it does not appear 
to be a threat under typical installation of Macromedia 
products where the computer's only user is already considered 
the administrator.   

~~~~~~~ 

Solution: 

A patch can be downloaded from the Macromedia website to 
protect users of current versions of Macromedia products:   

http://www.macromedia.com/go/DMJL_AAAZ 

Alternatively, a work-around is described in the "Making 
the Changes" section of this bulletin. 

~~~~~~~ 

Affected Software Versions:  

All supported Macintosh versions of Macromedia MX 2004 
products as well as Contribute 2 may be affected. 

~~~~~~~ 

Severity Rating: 

Macromedia categorizes this issue as a Moderate update 
(see http://www.macromedia.com/go/DMJL_AABA) and recommends 
that administrators of systems supporting multiple users 
apply the patch located at: 

http://www.macromedia.com/go/DMJL_AABB 

~~~~~~~ 

Details:  

Macintosh OS X versions of the Macromedia installers and 
e-licensing client install the 'AuthenticationService' 
as an SUID service whose file permissions allow "other" 
users to write to the file. By default, these permissions 
allow the code in the service to be changed by any local 
user. In the event of modification by any non-admin user, 
the operating system removes the SUID property. 

The current behavior of Macromedia products using this 
service mitigates all known attack vectors. All current 
Macromedia products detect the file change, refuse to 
execute the modified service, and reinstall the original, 
unmodified binary. Therefore, a successful exploitation 
requires the attacker to cause another user to execute 
the service independent of any Macromedia product. 

If the AuthenticationService file is manually deleted, a 
reapplication of the patch may be required. 

~~~~~~~ 

Making the Changes:  

With an admin account and password, permissions on the 
file can be manually changed to resolve this problem. 

Activate a Terminal session and type in the following 
command. 

sudo chmod 4775 "/Library/Application Support/Macrovision/ 
AuthenticationService"  

Enter your admin user password at the prompt and then 
the command will run and set the permissions on the file.

NOTE: Back up your existing files before making changes. 
As always, test the changes in a nonproduction environment 
before applying the changes to production servers. 

~~~~~~~ 

Acknowledgements:  

Macromedia would like to thank Chris Irvine of Dark Horse 
Comics, Inc. for reporting this vulnerability and for 
working with us to help protect our customers' security. 

~~~~~~~ 

Reporting Security Issues: 
 
Macromedia is committed to addressing security issues and 
providing customers with the information on how they can 
protect themselves. If you identify what you believe may 
be a security issue with a Macromedia product, please 
send an e-mail to secure@macromedia.com. We will work to 
appropriately address and communicate the issue. 

~~~~~~~ 

Receiving Security Bulletins: 
 
When Macromedia becomes aware of a security issue that we 
believe significantly affects our products or customers, 
we will notify customers when appropriate. Typically this 
notification will be in the form of a security bulletin 
explaining the issue and the response. Macromedia customers 
who would like to receive notification of new security 
bulletins when they are released can sign up for our 
security notification service. 

For additional information on security issues at Macromedia, 
please visit: 

http://www.macromedia.com/security. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES 
PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" 
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS 
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR 
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND 
FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY 
OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) 
SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, 
SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. 

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, 
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, 
COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR 
LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY 
INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT 
(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN 
IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA 
ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE 
EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO 
HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. 

Macromedia reserves the right, from time to time, to update 
the information in this document with current information.  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Macromedia Support, Privacy, and Unsubscribe Information 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Macromedia Support:  
http://www.macromedia.com/support/ 

Macromedia and your privacy: 
http://www.macromedia.com/help/privacy.html 

Contact Macromedia: 
Thank you for your continued interest in Macromedia products. 
If you'd rather not receive updates about events, classes, or  
products, write to newsflash@hvm.macromedia.com and type 
'no thanks' in the Subject line. You may also change your 
communication preferences by visiting this web page: 

http://www.macromedia.com/go/unsubupdates?email=********************** 

Macromedia, 600 Townsend St., San Francisco, California 94103


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC