SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (Mac)  >   slpd Vendors:   Apple
(Apple Issues Fix for OS X 10.2) Service Location Protocol Daemon (slpd) Temporary File Flaw May Let Local Users Gain Root Privileges
SecurityTracker Alert ID:  1008254
SecurityTracker URL:  http://securitytracker.com/id/1008254
CVE Reference:   CVE-2003-0878   (Links to External Site)
Date:  Nov 20 2003
Impact:   Modification of system information, Modification of user information, Root access via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Mac OS X 10.2 and prior versions
Description:   A vulnerability was reported in the Mac OS X Service Location Protocol responder (slpd). A local user may be able to gain elevated privileges on the system.

It is reported that when Personal File Sharing is enabled on Mac OS X, a local user can exploit a temporary file vulnerability. A local user can create a symbolic link (symlink) from a critical file on the system to a file that slpd will create in the '/tmp' directory. Then, when slpd creates the temporary file, the symlinked file will be written to with root level privileges. A local user may be able to cause slpd to modify a file to grant the user root level access on the system.

The report notes that Personal File Sharing is turned off by default.

The vendor credits @stake with reporting the flaw.

Impact:   A local user may be able to modify files with root privileges to gain root access on the system.
Solution:   Apple has released a fix as part of Security Update 2003-11-19 for Mac OS X 10.2.8, available at:

* Software Update pane in System Preferences

* Apple's Software Downloads web site:

Security update 2003-11-19 for Jaguar 10.2.8
http://www.info.apple.com/kbnum/n120277
The download file is named: "SecurityUpd2003-11-19Jag.dmg"
Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b

Vendor URL:  www.apple.com/macosx/ (Links to External Site)
Cause:   Access control error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Oct 30 2003 Service Location Protocol Daemon (slpd) Temporary File Flaw May Let Local Users Gain Root Privileges



 Source Message Contents

Subject:  APPLE-SA-2003-11-19 Security Update 2003-11-19


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2003-11-19 Security Update 2003-11-19

Security Update 2003-11-19 is now available for Mac OS X 10.2.8 and
Mac OS X 10.3.

It is Apple's policy to quickly address significant vulnerabilities in
past releases of Mac OS X wherever feasible.  Security Update
2003-11-19 includes updates to several components of Mac OS X v10.2
"Jaguar" that meet this criteria.

Updates for Mac OS X v10.2.8 "Jaguar" and Mac OS X Server v10.2.8
=================================================================

gm4: Fixes CAN-2001-1411 a format string vulnerability in the gm4
utility. No setuid root programs relied on gm4 and this fix is a
preventive measure against a possible future exploit.

groff: Fixes VU#399883 where the groff component pic contained a
format-string vulnerability.

Mail: Fixes CAN-2003-0881 the Mac OS X Mail application will no longer
fall back to plain text login when an account is configured to use MD5
Challenge Response.

OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.

Personal File Sharing: Fixes CAN-2003-0878 when Personal File Sharing
is enabled, the slpd daemon can no longer create a root-owned file in
the /tmp directory to gain elevated privileges.

QuickTime for Java: Fixes CAN-2003-0871 a potential vulnerability that
could allow unauthorized access to a system.

zlib: Addresses CAN-2003-0107.  While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.


Updates for Mac OS X v10.3.1 "Panther" and Mac OS X Server v10.3.1
==================================================================

OpenSSL: Fixes CAN-2003-0851 parsing particular malformed ASN.1
sequences are now handled in a more secure manner.

zlib: Addresses CAN-2003-0107.  While there were no functions in Mac
OS X that used the vulnerable gzprintf() function, the underlying
issue in zlib has been fixed to protect any third-party applications
that may potentially use this library.

================================================

Security Update 2003-11-19 may be obtained from:

  * Software Update pane in System Preferences

  * Apple's Software Downloads web site:
  
    Security update 2003-11-19 for Jaguar 10.2.8
    http://www.info.apple.com/kbnum/n120277
    The download file is named: "SecurityUpd2003-11-19Jag.dmg"
    Its SHA-1 digest is: bf6dfd69f084d1ffc0a0db9eff5252fb3213178b

    Security Update 2003-11-19 for Panther 10.3.1
    http://www.info.apple.com/kbnum/n120278
    The download file is named: "SecurityUpd2003-11-19.dmg"
    Its SHA-1 digest is: 0cfb4c9048859a2e8a60424400e081da5ff84b80
    
Information will also be posted to the Apple Product Security web
site:
http://www.apple.com/support/security/security_updates.html

This message is signed with Apple's Product Security PGP key, and
details are available at:
http://www.apple.com/support/security/security_pgp.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQEVAwUBP7wbJ3eI0z6bzFr0AQLqBgf/VosadrRIxai1AJe4th5MfYPOSxz5aJBM
aMcuIdXhGLK01/Zynr//DSNSwJ1gPZefMQtFrvaF5BJvUS8hmWOu9PyCZbEo8hiX
YJc14ON7/edXEA0JDB9BuB6Hbaflh+DgW2FIp8pjDScvudtFheMWFPQDMhBR3Az3
B6y6lIe9olZ+wUsML9ireLzKfhBFZGF7c/kYIoSS4X5WlmQ19F30RdBbJI/b8Sn2
nIBgBM9YtgkuMVSoqhPgBPIrQLQ0Qa8NVPY9NpBjFHnDgpUjiqCtYYL97TATOiMi
khl84JnBdIOk8j/S8z1zTSPwMG1v7LJPxdzhMRC3UhdiKOHDPTrofg==
=DdeD
-----END PGP SIGNATURE-----
_______________________________________________
security-announce mailing list | security-announce@lists.apple.com
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/security-announce
Do not post admin requests to the list. They will be ignored.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC