The Turkey Curse
fukamis terror chatroom

Local root on MacOS X … still

Prickle-Prickle, 16th Discord, 3171.

Today I stumpled again into the local root exploit for MacOS X called fm-iSink.c which exploits a buffer overflow in the mRouter suid root binary installed by iSync in MacOS X 10.3 by default. It’s known for over two months know and it still works.

wostok:~/pentesting % system_profiler|grep “System Version”
System Version: Mac OS X 10.3.8 (7U16)
wostok:~/pentesting % cc fm-iSink.c
wostok:~/pentesting % ./a.out
sh-2.05b# whoami
sh-2.05b# id
uid=502(fukami) euid=0(root) gid=502(fukami) groups=502(fukami)

I know it’s “only” a local exploit, and sure there are plenty of bugs not found or disclosed. But for some reasons I’m annoyed by reading those sentences on Apples pages: “Mac OS X keeps your data safe.” Well, maybe if you don’t grant people access to the machine, so Astro easily got root on Tims Ti (no worries, he didn’t do anything harmful). Sorry Apple, I’m not really willing to accept it. We just saw a couple of patches since January and I’m seriously think now about switching completly … away from Apple.



  1. sad but true, looking through the source makes it even worse. this seems to be one of the shortest and most stupid buffer-overflows i’ve ever seen. programs having bugs while handling command-line arguments shouldn’t exist anymore. it’s like an example taken from aleph0ne’s buffer overflow tutorial. :(

    Comment by MaxX — Prickle-Prickle, 16th Discord, 3171. @ 57217

  2. How about mentioning the bug number?

    Oh, didn’t you file a bug? If not, then it’s not a bug, it’s just a complaint.

    Comment by J. Random Poster — Prickle-Prickle, 16th Discord, 3171. @ 58769

  3. sadly this seems only the tip of the iceberg…
    … and more …

    Comment by Felix — Prickle-Prickle, 16th Discord, 3171. @ 59951

  4. MaxX: Yep, this is lame.

    Mr. J. Random: Ever tried to file a bug to Apple? Ever tried to find out what bugs are known to Apple and what not (beside CVE)? But anyway: This problem is known since 2 1/2 months now, it was posted on Bugtraq and the poster mentioned, that he has notified Apple (see: Even if he didn’t notify Apple, their security guys should, at least, read sec lists and look out for stuff disclosed that way. If they don’t do, it sounds even more worse to me, sorry.

    Felix: The bug you mentioned is fixed already.

    Comment by fukami — Prickle-Prickle, 16th Discord, 3171. @ 61935

  5. People keep going on about how Linux or Mac OS X or OpenBSD or whatever doesn’t force you to run as root all the time, the way Windows does. I agree, this is a nice feature, it slows down an attacker… but I’ve had to clean up my share of remote exploits over the years and, regardless of the platform, once the word gets out about an 0wn3d machine it only takes a few days before someone finds a way to escalate priviliges enough to get local root and install a rootkit.

    On top of that, even if the OS isn’t trashed, trapdoored, or trojanned… getting ordinary-user access is more than enough to cause you interesting times. Install a keystroke logger, steal your passwords on other sites, use your box to launch attacks on other boxes, set up a spam proxy…

    Yes, a local root exploit is bad, but there’s no point talking about “switching back” because you found one. If someone can run code on your machine it’s not your machine any more, you’re sharing it. Even if they don’t get root you’re still 0wn3d.

    Comment by Peter da Silva — Prickle-Prickle, 16th Discord, 3171. @ 62417

  6. Peter: First of all: I didn’t find that specific bug. I found others but got lost on the way to file that to Apple.

    I’m not “switching back”, I’m a long term MacOS user, I mainly started with it and paid every single version including the betas for Rhapsody. It’s *one* reason why I think about switching away, other reasons have to do with Apples behavior on other topics (there’s a German saying something like “Constant dripping wears away the stone”). If a free OS has problems not fixed quickly, it’s a totally different thing from my point of view. Most of these cover different plattforms and a huge among of hardware, Apple only target their own.

    Since I use Mac specific programmes on a large base, it’s not easy for me to switch without thinking about nearly every daily task. I still like many things in this OS, and I like the possibility to even be able to change my workflow using MacOS without changing it in a hard way. I won’t trash my machine and will buy Tiger for sure. But I need to make clear for myself that I’m not dependent i.e. from Apples idea of security.

    And I don’t agree with you at all with the last paragraph. This exploit is an absolutly no-brainer, and it is no excuse for not fixing problems of those kinds! So what is your conclusion? Don’t fix it, ’cause you shouldn’t let people on your command line anyway? No no no, that’s a bad argumentation. If there’s a known exploit, people are encourage to try it.

    Comment by fukami — Prickle-Prickle, 16th Discord, 3171. @ 68017

  7. Felix, the local root exploit you posted was fixed in the latest security patch, 2005-003.

    The fm-iSync.c exploit is still active as of March 30, 2005. You can fix it by control-clicking in the finder on /System/Library/SyncServices/SymbianConduit.bundle and choosing Show Package Contents. From there you can navigate to Contents/Resources and zip up mRouter (which is a command line tool that happens to be SUID and have an buffer overrun bug). Then delete the original mRouter file. Not neat or pretty but it works. Changing owner, SUID or other permissions or deleting the bundle don’t work very well. Changing the owner and permissions is undone by OS X repair permissions and if you delete the bundle it tries to come back when you do Software Update.

    Comment by jdb — Prickle-Prickle, 16th Discord, 3171. @ 75978

  8. ” Ever tried to file a bug to Apple? ”

    Yes, of course I have. That’s why mine get fixed.

    Comment by J. Random Poster — Prickle-Prickle, 21st Discord, 3171. @ 2800

  9. Fixed in 2005-004. Looks like the only fix in there.

    Comment by Larry — Prickle-Prickle, 36th Discord, 3171. @ 85619

  10. Apple fixed iSink
    Security Update 2005-004
    Available for: iSync 1.5 on Mac OS X v10.2.8 and Mac OS X v10.3.x
    CVE-ID: CAN-2005-0193
    Impact: A buffer overflow in iSync could lead to local privilege escalation.

    Trackback by The Turkey Curse — Setting Orange, 37th Discord, 3171. @ 5243

  11. Apple Security Update 2005-004

    Gerade eben ist ein neues Security Update von Apple rausgekommen, das endlich die iSink local privilege escalation vulnerability fixt. Auch hier frage ich mich: Wieso hat das solange gedauert? Der Exploit ist bereits seit Januar veröffentlicht und App…

    Trackback by NSSecureTextBlog — Setting Orange, 37th Discord, 3171. @ 9106

RSS feed for comments on this post. | TrackBack URI

Leave a comment

"A child of five would understand this. Send someone to fetch a child of five." - Groucho Marx

The Turkey Curse is powered by WordPress, template idea by Priss

Entries (RSS) and Comments (RSS).
Generated in 0.096 seconds.