Today I stumpled again into the local root exploit for MacOS X called fm-iSink.c which exploits a buffer overflow in the mRouter suid root binary installed by iSync in MacOS X 10.3 by default. It’s known for over two months know and it still works.
wostok:~/pentesting % system_profiler|grep “System Version”
System Version: Mac OS X 10.3.8 (7U16)
wostok:~/pentesting % cc fm-iSink.c
wostok:~/pentesting % ./a.out
uid=502(fukami) euid=0(root) gid=502(fukami) groups=502(fukami)
I know it’s “only” a local exploit, and sure there are plenty of bugs not found or disclosed. But for some reasons I’m annoyed by reading those sentences on Apples pages: “Mac OS X keeps your data safe.” Well, maybe if you don’t grant people access to the machine, so Astro easily got root on Tims Ti (no worries, he didn’t do anything harmful). Sorry Apple, I’m not really willing to accept it. We just saw a couple of patches since January and I’m seriously think now about switching completly … away from Apple.