SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Sudo Vendors:   sudo.ws
(Apple Issues Fix) Sudo Environment Variable Validation Error May Let Local Users Run Arbitrary Commands
SecurityTracker Alert ID:  1013883
SecurityTracker URL:  http://securitytracker.com/id/1013883
CVE Reference:   CVE-2004-1051   (Links to External Site)
Date:  May 4 2005
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.6.8p2
Description:   A vulnerability was reported in sudo. A local user may be able to run arbitrary shell commands.

Liam Helmer reported that the software does not properly validate environment variables. If the bash shell is installed on the target system and the local user has permission to execute bash scripts, then the local user can exploit a sudo feature to substitute arbitrary commands in any non-fully qualified programs called from the bash script.

Impact:   A local user may be able to execute arbitrary commands on the target system.
Solution:   Apple has issued a fix as part of Security Update 2005-005, available from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

http://www.apple.com/support/downloads/

For Mac OS X v10.3.9
The download file is named: "SecUpd2005-005Pan.dmg"
Its SHA-1 digest is: 81c479d52830163f0992482a0b3586acf2cb1cad

For Mac OS X Server v10.3.9
The download file is named: "SecUpdSrvr2005-005Pan.dmg"
Its SHA-1 digest is: eb3f5300e2c6062c10e9466eb3c822952e8aba83

Vendor URL:  www.sudo.ws/sudo/alerts/bash_functions.html (Links to External Site)
Cause:   Input validation error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.3.9

Message History:   This archive entry is a follow-up to the message listed below.
Nov 13 2004 Sudo Environment Variable Validation Error May Let Local Users Run Arbitrary Commands



 Source Message Contents

Subject:  APPLE-SA-2005-05-03 Security Update 2005-005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-05-03 Security Update 2005-005

Security Update 2005-005 is now available and delivers the following
security enhancements:

Apache
CVE-ID:  CAN-2005-1344
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  The htdigest program contains a buffer overflow, which if
used improperly in a CGI application, could allow a remote system
compromise
Description:  The htdigest program could be used in a CGI application
to manage user access controls to a web server. htdigest contains a
buffer overflow.  This update fixes the buffer overflow in htdigest.
Apple does not provide any CGI applications that use the htdigest
program. Credit to JxT of SNOsoft for reporting this issue.

AppKit
CVE-ID:  CAN-2004-1308, CAN-2004-1307  CERT: VU#125598, VU#539110
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  An integer overflow in the handling of TIFF files could
permit arbitrary code execution
Description:  A malformed TIFF image could contain parameters that
result in image data overwriting the heap.  This issue has been
addressed by adding additional tests when calculating the space
needed for an image.

AppKit
CVE-ID:  CAN-2005-1330
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  A Cocoa application will quit through an unhandled exception
from NXSeek()
Description:  A malformed TIFF image can cause a call to NXSeek()
with an offset outside the image. This raises an exception which is
not handled.  The default handler then causes the application to
exit.  This update causes an error to be returned to the
application.  Credit to Henrik Dalgaard of Echo One for reporting
this issue.

AppleScript
CVE-ID:  CAN-2005-1331
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9 Impact:
Scripts created using the applescript: URI mechanism could display
code differently than that which would actually run
Description:  The applescript: URI mechanism is a feature that allows
AppleScript code to be distributed via a hyperlink.  When an
applescript: URI is clicked, the AppleScript Editor opens and
displays the code that has been downloaded.  If the code is then
compiled and run, it may not execute exactly as it is displayed.
This issue has been addressed by rejecting URIs containing characters
that could be used to mislead the user.  Credit to David Remahl of
www.remahl.se/david for reporting this issue.

Bluetooth
CVE-ID:  CAN-2005-1332
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Bluetooth-enabled systems may allow file exchange without
prompting users
Description:  The Bluetooth file exchange service is enabled by
default on systems with Bluetooth capability.  This could allow
files to be shared without properly notifying the user.  In
addition,
the default directory for file sharing may be used by other
applications, leading to unintentional file sharing. Security Update
2005-005 disables Bluetooth file exchange and changes the location of
the default transfer directory on systems where the old default
directory is set.  In addition, new users of a system must now enable
Bluetooth file exchange before it is allowed.  Users with
Bluetooth-enabled systems should read the article at
http://docs.info.apple.com/article.html?artnum=301381 for more
information on the changes provided by this update.  Credit to
kf_lists[at]digitalmunition[dot]com for reporting this issue.

Bluetooth
CVE-ID:  CAN-2005-1333
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Directory traversal via Bluetooth file and object exchange
Description:  Due to insufficient input checking, the Bluetooth file
and object exchange services could be used to access files outside of
the default file exchange directory.  Security Update 2005-005
addresses this issue by adding enhanced filtering for path-delimiting
characters. Credit to kf_lists[at]digitalmunition[dot]com for
reporting this issue.

Directory Services
CVE-ID:  CAN-2005-1335
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  chfn/chpass/chsh could be manipulated to give privileges to
an unprivileged user
Description:  chfn/chpass/chsh is a hard-linked set of SUID
programs.  Certain code paths use external helper programs in an
insecure manner which could lead to a privilege escalation.  This
update provides secure mechanisms for running helper programs.

Finder
CVE-ID:  CAN-2005-0342
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Unsafe handling of .DS_Store files could be used by local
attackers to overwrite files and lead to privilege escalation
Description:  Finder uses .DS_Store files to store and retrieve
information used to display folders on the system.  When writing
these files, Finder could follow a link resulting in the overwrite of
an arbitrary file.  In addition, these files could contain data
supplied by malicious users, allowing them to gain privileges by
altering system configuration files.  Security Update 2005-005
addresses this issue by updating Finder to check that .DS_Store files
are not links before writing to them.

Foundation
CVE-ID:  CAN-2005-1336
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Buffer overflow via an environment variable for applications
using the Foundation framework
Description:  The incorrect handling of an environment variable
within the Foundation framework can result in a buffer overflow that
may be used to execute arbitrary code. This issue has been addressed
by improved handling of the environment variable.

Help Viewer
CVE-ID:  CAN-2005-1337
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Help Viewer could be used to run Javascript without the
restrictions normally imposed
Description:  When Javascript is loaded for a remote site, it is
executed in a restricted environment.  The environment restrictions
are not applied for local Javascript files loaded by the Help
Viewer.  Security Update 2005-005 addresses this by only allowing
Help Viewer to load registered pages.  Credit to David Remahl of
www.remahl.se/david for reporting this issue.

LDAP
CVE-ID:  CAN-2005-1338
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Passwords could initially be stored into LDAP in plain text
when using an LDAP server not running on Mac OS X
Description:  When a system is bound to an LDAP server that has
"ldap_extended_operation" disabled or not supported, and new accounts
are created using the Workgroup Manager, then the initial password
can be stored in the clear.  If the password is modified using the
Inspector it will be correctly stored in a hashed form. This issue
does not occur when using the Apple supplied Open Directory server.
For servers not supporting "ldap_extended_operation", this update now
stores new passwords in the hashed form.

libXpm
CVE ID: CAN-2004-0687 CERT: VU#882750
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  A vulnerability in the parsing of malformed XPM files could
allow arbitrary code execution
Description:  The xpmParseColors() function in the XFree86 libXpm
library contains a vulnerability in the parsing of malformed image
files that may lead to a stack overflow and could allow arbitrary
code execution.  Images downloaded via a web browser may use the XPM
format and allow remote exploitability.  libXpm is not installed by
default on Mac OS X or Mac OS X Server systems.  It is an optional
install item via the X11 package.  Credit to Chris Evans
<chris@scary.beasts.org> for reporting this issue.

libXpm
CVE ID:  CAN-2004-0688 CERT:  VU#537878
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  A vulnerability in the parsing of malformed XPM files could
allow arbitrary code execution
Description:  Multiple libXpm routines contain integer overflow
vulnerabilities that may allow an attacker to cause a
denial-of-service condition or execute arbitrary code.  Images
downloaded via a web browser may use the XPM format and allow remote
exploitability.  libXpm is not installed by default on Mac OS X or
Mac OS X Server systems.  It is an optional install item via the X11
package.  Credit to Chris Evans <chris@scary.beasts.org> for
reporting this issue.

lukemftpd
CVE-ID:  CAN-2005-1339
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  When using the chroot feature of ftp, users can bypass the
restriction by using their full name
Description:  The ftp server allows users to login with either their
full name or their short name.  In order to restrict users to their
home directory, all permitted login names must be listed in
/etc/ftpchroot.  Users are permitted to change their full name.
This issue has been addressed by mapping full names to short names
before checking the /etc/ftpchroot restriction list. Credit to Rob
Griffiths of macosxhints.com for reporting this issue.

NetInfo
CVE-ID:  CAN-2005-0594
Available for:  Mac OS X Server v10.3.9
Impact:  The Netinfo Setup Tool (NeST) contains a buffer overflow
that could permit arbitrary code execution
Description:  NeST is a SUID tool.  It contains a buffer overflow
that could permit arbitrary code execution.  This update prevents the
buffer overflow from occurring. Credit to iDEFENSE Labs for reporting
this issue.

Server Admin
CVE-ID:  CAN-2005-1340
Available for:  Mac OS X Server v10.3.9
Impact:  Enabling the HTTP proxy service also enables it for users
not on your network if there are no access restrictions
Description:  When the HTTP proxy service is enabled in Server Admin
it does not restrict which networks can access it.  If there are no
external access controls, then users on the Internet can also use the
proxy.  The HTTP proxy service is disabled by default.  This update
adds a user interface component to Server Admin which allows the HTTP
proxy to be restricted to local networks.

sudo
CVE-ID:  CAN-2004-1051
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Bash scripts run via sudo can be subverted
Description:    Sudo versions prior to 1.6.8p2 do not properly
sanitize their environment .  A malicious local user with
permission to run a bash shell script could exploit this to run
arbitrary commands.  Apple does not provide any pre-authorized bash
shell scripts by default.  This issue is addressed by removing bash
shell functions from the environment before running subsequent
commands.

Terminal
CVE-ID:  CAN-2005-1341  CERT: VU#994510
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Malicious input could cause data to be inserted into a
user's Terminal command line
Description:  The Terminal utility allows window titles to be read
as input via a particular escape sequence.  This could allow
malicious content to inject data when it is displayed in a Terminal
session.  Security Update 2005-005 addresses the issue by removing
handlers for this insecure escape sequence.  Credit to David Remahl
of www.remahl.se/david for reporting this issue.

Terminal
CVE-ID:  CAN-2005-1342  CERT: VU#356070
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  Escape characters embedded in x-man-path URIs could insert
commands into a user's Terminal session
Description:  The x-man-path URI scheme provides support for
displaying manual pages via the Terminal utility.  Insufficient
validation of these URIs can allow data to be inserted a Terminal
session.  Security Update 2005-005 addresses this by adding escape
sequence validation to the URI handler.  Credit to David Remahl of
www.remahl.se/david for reporting this issue.

VPN
CVE-ID:  CAN-2005-1343
Available for:  Mac OS X v10.3.9, Mac OS X Server v10.3.9
Impact:  A local user can obtain root privileges if the system is
being used as a VPN server
Description:  A buffer overflow in "vpnd" could be used by a local
user to obtain root privileges if the system is configured as a VPN
server.   This problem does not occur on systems that are configured
as a VPN client.  This issue cannot be exploited remotely.  This
update prevents the buffer overflow from occurring.  Credit to
Pieter de Boer of the master SNB at the Universiteit van Amsterdam
(UvA) for reporting this issue.

Security Update 2005-005 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Mac OS X v10.3.9
The download file is named:  "SecUpd2005-005Pan.dmg"
Its SHA-1 digest is:  81c479d52830163f0992482a0b3586acf2cb1cad

For Mac OS X Server v10.3.9
The download file is named:  "SecUpdSrvr2005-005Pan.dmg"
Its SHA-1 digest is:  eb3f5300e2c6062c10e9466eb3c822952e8aba83

Information will also be posted to the Apple Product Security
web site:
http://docs.info.apple.com/article.html?artnum=61798

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQEVAwUBQnfhP5yw5owIz4TQAQLM0gf/ac2bQDY6G+rY27jv0BWXrij0GM9Ay+vk
g9ikbfpVL/IgQLdpjllpn4dHj5NT0l+3TmQmZ1ACkVCsp+tmjr1TXt5k6siy+iHH
RvMZqQGYs7CPZsmqY9bvQpGVHM38E+fo4nn7t00LasCzGuJxDzJqeEswEjN+ANV4
Tj+CYFmJXieWcczt/0QLcDQdLohXxTRy+sgYzABOO0A91KqRixO2Y+cHjCBsp5jg
OzcMVxg37Rez+w8U29tDfUiZoUCGcxGfGhIAPPQp0GFE2wW0cJ+JJe7Yk3LAVefG
dyFZV5qky9pY8t52Vuw0J+QAJhKWwqkCw67gNrZsOw2Dq/AD9hnMFQ==
=MIEm
-----END PGP SIGNATURE-----

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Security-announce mailing list      (Security-announce@lists.apple.com)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/security-announce/


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC