Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (Mac)  >   slpd Vendors:   Apple
Service Location Protocol Daemon (slpd) Temporary File Flaw May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1008045
SecurityTracker URL:
CVE Reference:   CVE-2003-0878   (Links to External Site)
Date:  Oct 30 2003
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Mac OS X 10.2 and prior versions
Description:   A vulnerability was reported in the Mac OS X Service Location Protocol responder (slpd). A local user may be able to gain elevated privileges on the system.

It is reported that when Personal File Sharing is enabled on Mac OS X, a local user can exploit a temporary file vulnerability. A local user can create a symbolic link (symlink) from a critical file on the system to a file that slpd will create in the '/tmp' directory. Then, when slpd creates the temporary file, the symlinked file will be written to with root level privileges. A local user may be able to cause slpd to modify a file to grant the user root level access on the system.

The report notes that Personal File Sharing is turned off by default.

The vendor credits @stake with reporting the flaw.

Impact:   A local user may be able to modify files with root privileges to gain root access on the system.
Solution:   The vendor has released a fixed version of Mac OS X (10.3). More information on Mac

OS X 10.3 is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error, State error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 20 2003 (Apple Issues Fix for OS X 10.2) Service Location Protocol Daemon (slpd) Temporary File Flaw May Let Local Users Gain Root Privileges
Apple has released a fix for Mac OS X 10.2.

 Source Message Contents

Subject:  APPLE-SA-2003-10-28 Mac OS X 10.3 Panther

Hash: SHA1

APPLE-SA-2003-10-28 Mac OS X 10.3 Panther

Mac OS X 10.3 Panther has been released, and it contains the following
security enhancements:

Finder: Fixes CAN-2003-0876 where folder permissions may not be
   preserved when copying a folder from a mounted volume such as a
   disk image.  Credit to Dave G. from @stake, Inc. for finding this

Kernel: Fixes CAN-2003-0877 where if a system is running with core
   files enabled, a user with interactive shell access can overwrite
   arbitrary files, and read core files created by root-owned
   processes.  This may result in sensitive information such as
   authentication credentials being compromised. Core file creation is
   disabled by default on Mac OS X. Credit to Dave G. from @stake,
   Inc. for finding this issue.

slpd:  Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
   slpd daemon may create a root-owned file in the /tmp directory.
   This could overwrite an existing file and allow a user to gain
   elevated privileges. Personal File Sharing is off by default in Mac
   OS X.  Credit to Dave G. from @stake, Inc. for finding this issue.

Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
   to cause the Mac OS X kernel to crash by specifying a long command
   line argument. The machine will reboot on its own after several
   minutes. Credit to Dave G. from @stake, Inc. for finding this

ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
   enabled through the KTRACE kernel option, a local user might be
   able to obtain sensitive information.  No specific utility is
   currently known to be vulnerable to this particular problem.

nfs: Fixes CVE-2002-0830 for the Network File System where a remote
   user may be able to send RPC messages that cause the system to lock

zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
   X that used the vulnerable gzprintf() function, the underlying
   issue in zlib has been fixed.

gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
   utility. No setuid root programs relied on gm4 and this fix is a
   preventative measure against a possible future exploit.

OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
   restrictions are potentially spoofable via reverse DNS for
   numerically specified IP addresses. Mac OS X 10.3 also incorporates
   prior fixes released for OpenSSH, and the version of OpenSSH as
   obtained via the "ssh -V" command is:
   OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL

nidump:  Fixes CAN-2001-1412 where the nidump utility provides access
   to the crypted passwords used to authenticate logins.

System Preferences:  Fixes CAN-2003-0883 where after authenticating
   with an administrator password, the system will continue to allow
   access to secure Preference Panes for a short period of time.  This
   could allow a local user to access Preference Panes that they would
   not normally be able to use.  In Mac OS X 10.3 Security
   preferences, there is now a choice to "Require password to unlock
   each secure system preference". Credit to Anthony Holder for
   reporting this issue.

TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
   initialized with a constant number. This could allow a person to
   discover how long the system has been up based upon the ID in TCP
   packets.  In Mac OS X 10.3, the TCP timestamp is now initialized
   with a random number. Credit to Aaron Linville for reporting this
   issue and submitting a fix via the Darwin open source program.

Mail:  Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
   account is configured to use MD5 Challenge Response, it will
   attempt to login using CRAM-MD5 but will silently fall back to
   plain-text if the hashed login fails. Credit to Chris Adams for
   reporting this issue.

Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
   the Keyboard pane in System Preferences, Dock functions can be
   accessed blindly from behind Screen Effects.
Other security features:  Mac OS X 10.3 contains a number of other
   security features which may be found at:

Further information on Mac OS X 10.3 may be obtained from:
This message is signed with Apple's Product Security PGP key, and
details are available at:

Version: PGP 8.0.2

security-announce mailing list |
Do not post admin requests to the list. They will be ignored.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC