Security Update 2003-08-14 Released

Delta-9 writes "Today, Apple released Security Update 2003-08-14, which 'addresses a potential vulnerability in the fb_realpath() function which could allow a local or remote user to gain unauthorized root privileges to a system.'" It's on Software Update, and will likely soon appear on the support downloads page.

Some info about the vulnerability

[remahl]

The security update addresses the following vulnerability: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.t xt Users who haven't activated the FTP server in the Sharing preference pane should not be vulnerable in any way to this bug. Furthermore, FTP servers running with anonymous access, aren't vulnerable either (unless anonymous write access is enabled), since the overflow exploit requires creating deep hierarchies of directories. Only users with regular accounts on the machine can use this bug to gain more privileges on the machine. The advisory claims to have successfully exploited the problem on several Linux i386 platforms, but they "believe that exploitation of other little-endian systems is also possible". Note "litle-endian". This may suggest that the bug is not exploitable in a useful way on big-endian machines (like all Mac's, for example). Or it may simply suggest that they haven't investigated the matter thoroughly on big-endian processors. The advisory was posted some full two weeks ago, meaning that Apple was not as quick to respond as they normally are. Perhaps they were a bit too involved in Panther right now, and had to let this relatively minor insecurity wait a little while.

Re:Some info about the vulnerability

The FTP server included with Jaguar and Panther is lukemftpd, not wu-ftpd.

But that's okay. Don't let the facts get in the way of your skreed. Carry on.

Re:Some info about the vulnerability

[Klaruz]

No, apple didn't use wu-ftpd, give them some credit, they used lukemftpd. Originally from netbsd I believe.

The realpath() function from bsd calculates the length of a resolved directory path. The problem is an off by one error. It actually affects more than than just an ftp deamon since it's a library function, just like the gzip vulnerabilty a while ago. See the sans report for more info.

3 days from disclosure to security update is pretty good though.

Re:Some info about the vulnerability

[Klaruz]

Anything but wu-ftp. I like pure ftpd, YMMV.

However, if you use os x just stick with the stock ftpd since it's not wu-ftp. Like I said earlier, the bug wasn't with the ftpd, it was a library call. Just run software update and get on with your life.

Ok, people. I'm really sorry.

[remahl]

It looks like I jumped the gun on this...On several levels...

First, wu-ftpd is not the ftp server in Mac OS X. lukemftpd is.

Second, the most relevant advisory is not the quoted one, but this one (which previously appeared on Slashdot): FreeBSD-SA-03:08.realpath.

As the name implies, the bug originates from FreeBSD, and potentially leaves a long list of programs vulnerable (listed in the advisory).

This means that the problem is broader than my original message anticipated. It means that other remote services may be vulnerable, including sftp.

Thanks to the anonymous user who brought my attention to my (pretty bad) mistake.

Please spread this information instead of the wrongful information in the parent post. Mod parent down.

Re:Beware of updating...

No problem here using Camino 0.7. Just finished the install of the update with reboot.

Not Panther

[Draoi]

I've just tried running it on Panther DP1 & it doesn't want to install.Better wait, I guess ...

Furthermore, I just noticed that the installer said; "The installer needs to run a program to determine if it can be installed. Do you want to continue?" - that's a cool security feature!

Oh, and the update is now up on Apple's downloads page