MoAB: Exploit The Root Is The Name Of The Game
The MoAB (Month of Apple Bugs) disclosure of today is perhaps the most serious up till now.
Apple users are very often touted to be immune to virus and malware infection. LMH - Month of Apple Bugs' author - reports, the first part of the problem is that often several programs run as root in the applications folder. Second part of this problem is the fact that permissions are needed by users to either writer or overwrite them. The installed binary & malicious code would run as root, once a malicious binary package is installed and permissions reset. Therefore if an attacker wants to get a binary file (that runs as root) overwritten by a user and rights are refurbished, malware gets installed thus compromising the system.
It's not uncommon to install or overwrite files in this way. Written permissions to applications folder are required for the users to install programs or perform software updates. The very fact that permission repairs are a common step in troubleshooting employed by Macintosh further simplifies the task of this kind of an exploit.
The exploit is something worth being worried about, as the user can rewrite or write to application folder with these permissions. Hijacking of legitimate programs that run as root implies that malicious code inserted inside the binaries will also run as the root's default level. There's no way by which such infections can be stopped.
A scheme is described by LMH whereby a program similar to a virus can insert some code inside the affected binaries to be executed ahead of the real program. Because, the code will be running as root, exactly like the real one does, it's able to do just anything.
The details on how exactly can the computers be infected in this way weren't disclosed by LMH. However LMH proclaimed that he along with Gil Dahah are on the way to develop a proof-of-the-concept, which they plan to release to the anti-virus firms prior to its public distribution.
Nasty individuals having physical access to a computer system may find such code as the most powerful tool to carry out remote attacks. They only need to trick the user into running this malicious code. And, they can do so by simply combining the code with a different vulnerability that remotely executes the arbitrary code.
A temporary kluge that MoAB suggests is to remove the setuid bit from the Disk Management Tool binary that's used for repairing permissions.
Related article: MoAB Disclose Two Bugs On Two Successive Days
» SPAMfighter News - 20-01-2007