Service Location Protocol Daemon (slpd) Temporary File Flaw May Let Local Users Gain Root Privileges
SecurityTracker Alert ID: 1008045|
SecurityTracker URL: http://securitytracker.com/id/1008045
(Links to External Site)
Date: Oct 30 2003
Modification of system information, Modification of user information, Root access via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): Mac OS X 10.2 and prior versions|
A vulnerability was reported in the Mac OS X Service Location Protocol responder (slpd). A local user may be able to gain elevated privileges on the system.|
It is reported that when Personal File Sharing is enabled on Mac OS X, a local user can exploit a temporary file vulnerability. A local user can create a symbolic link (symlink) from a critical file on the system to a file that slpd will create in the '/tmp' directory. Then, when slpd creates the temporary file, the symlinked file will be written to with root level privileges. A local user may be able to cause slpd to modify a file to grant the user root level access on the system.
The report notes that Personal File Sharing is turned off by default.
The vendor credits @stake with reporting the flaw.
A local user may be able to modify files with root privileges to gain root access on the system.|
The vendor has released a fixed version of Mac OS X (10.3). More information on Mac|
OS X 10.3 is available at:
Vendor URL: www.apple.com/macosx/ (Links to External Site)
Access control error, State error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: APPLE-SA-2003-10-28 Mac OS X 10.3 Panther|
-----BEGIN PGP SIGNED MESSAGE-----
APPLE-SA-2003-10-28 Mac OS X 10.3 Panther
Mac OS X 10.3 Panther has been released, and it contains the following
Finder: Fixes CAN-2003-0876 where folder permissions may not be
preserved when copying a folder from a mounted volume such as a
disk image. Credit to Dave G. from @stake, Inc. for finding this
Kernel: Fixes CAN-2003-0877 where if a system is running with core
files enabled, a user with interactive shell access can overwrite
arbitrary files, and read core files created by root-owned
processes. This may result in sensitive information such as
authentication credentials being compromised. Core file creation is
disabled by default on Mac OS X. Credit to Dave G. from @stake,
Inc. for finding this issue.
slpd: Fixes CAN-2003-0878 when Personal File Sharing is enabled, the
slpd daemon may create a root-owned file in the /tmp directory.
This could overwrite an existing file and allow a user to gain
elevated privileges. Personal File Sharing is off by default in Mac
OS X. Credit to Dave G. from @stake, Inc. for finding this issue.
Kernel: Fixes CAN-2003-0895 where it may be possible for a local user
to cause the Mac OS X kernel to crash by specifying a long command
line argument. The machine will reboot on its own after several
minutes. Credit to Dave G. from @stake, Inc. for finding this
ktrace: Fixes CVE-2002-0701 a theoretical exploit when ktrace is
enabled through the KTRACE kernel option, a local user might be
able to obtain sensitive information. No specific utility is
currently known to be vulnerable to this particular problem.
nfs: Fixes CVE-2002-0830 for the Network File System where a remote
user may be able to send RPC messages that cause the system to lock
zlib: Addresses CAN-2003-0107. While there were no functions in Mac OS
X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed.
gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventative measure against a possible future exploit.
OpenSSH: Fixes CAN-2003-0386 where "from=" and "user@hosts"
restrictions are potentially spoofable via reverse DNS for
numerically specified IP addresses. Mac OS X 10.3 also incorporates
prior fixes released for OpenSSH, and the version of OpenSSH as
obtained via the "ssh -V" command is:
OpenSSH_3.6.1p1+CAN-2003-0693, SSH protocols 1.5/2.0, OpenSSL
nidump: Fixes CAN-2001-1412 where the nidump utility provides access
to the crypted passwords used to authenticate logins.
System Preferences: Fixes CAN-2003-0883 where after authenticating
with an administrator password, the system will continue to allow
access to secure Preference Panes for a short period of time. This
could allow a local user to access Preference Panes that they would
not normally be able to use. In Mac OS X 10.3 Security
preferences, there is now a choice to "Require password to unlock
each secure system preference". Credit to Anthony Holder for
reporting this issue.
TCP timestamp: Fixes CAN-2003-0882 where the TCP timestamp is
initialized with a constant number. This could allow a person to
discover how long the system has been up based upon the ID in TCP
packets. In Mac OS X 10.3, the TCP timestamp is now initialized
with a random number. Credit to Aaron Linville for reporting this
issue and submitting a fix via the Darwin open source program.
Mail: Fixes CAN-2003-0881 in the Mac OS X Mail application, if an
account is configured to use MD5 Challenge Response, it will
attempt to login using CRAM-MD5 but will silently fall back to
plain-text if the hashed login fails. Credit to Chris Adams for
reporting this issue.
Dock: Fixes CAN-2003-0880 when Full Keyboard Access is turned on via
the Keyboard pane in System Preferences, Dock functions can be
accessed blindly from behind Screen Effects.
Other security features: Mac OS X 10.3 contains a number of other
security features which may be found at:
Further information on Mac OS X 10.3 may be obtained from:
This message is signed with Apple's Product Security PGP key, and
details are available at:
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
-----END PGP SIGNATURE-----
security-announce mailing list | email@example.com
Do not post admin requests to the list. They will be ignored.