OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Local Privilege Escalation in Norton AntiVirus for Mac

From: William A. Carrel (william.acarrel.org)
Date: Fri Nov 02 2007 - 10:49:16 CDT


Text from URL: http://blog.carrel.org/2007/11/security-advisory-norton-antivirus-for.html

== Synopsis ==

Symantec's Norton AntiVirus for Macintosh (NAV) contains a
vulnerability that can lead to local privilege escalation from group
admin to root (the super-user) without any of the usual password
prompts Mac OS X presents for gaining super-user access. Group admin
includes any users with the "Allow this user to administer this
computer" box checked, this generally includes the first user created
in an OS X install. This vulnerability is caused by a setuid-root
binary in NAV which automatically runs another binary in a location
where it can be replaced by users with group admin permissions. Since
most Mac OS X users are in group admin on their computers, most NAV
users will be vulnerable.

== Mitigation ==

The easiest (and most foolproof) mitigation strategy is to uninstall
NAV. (I sure don't feel very secure when a vendor allows a local
privilege escalation vulnerability to fester in their security
software for over 9 months. Your feelings may vary.)

Set the sticky bit on all directories between the vulnerable binary
and the filesystem root that are writable by group admin. This can be
done in Terminal.app with sudo chmod +t / /Library
/Library/Application\ Support /Library/Application\ Support/Symantec
/Library/Application\ Support/Symantec/SmallScanner.app etc. Keep in
mind that running "Repair Permissions" on your disk will remove this
change and leave your NAV install vulnerable once again. Apple has set
the sticky bit on / and /Library by default on Mac OS X 10.5, but not
/Library/Application Support and obviously not on the directories that
NAV is installed into.

== What Symantec Had to Say ==

The last time I heard from Symantec was August 29th:

As you know, Symantec developers reviewed the issue concerning NAV for
the Mac that you sent to us, and agreed that there is cause for
concern. However, they felt that the same problem could potentially
affect other vendor's[sic] software as well. We contacted Apple
Product Security, and suggested some changes that could improve
security for everyone.
...
Symantec does not currently plan to make changes to our existing
products to directly address the problem you reported. The changes
would require considerable architectural modifications for those
products, and the changes could cause other problems for those
products if Apple subsequently release an OS update to address the
underlying problem.
...

== Timeline ==

Just in case people think the vendor didn't have enough time to
address this, here's the timeline:

2007-Jan-16 - Reported issue to Symantec
2007-Jan-17 - Symantec will "review as soon as possible"
2007-Jan-31 - Symantec "working on planning a fix", will coordinate
release when product update has ETA
2007-Apr-20 - Symantec thinks it would be better if Apple made changes
to Mac OS X to fix the problem in NAV
2007-Jun-21 - Contacted Apple for status
2007-Jun-22 - Apple communicates the changes they're going to make for
Leopard. These changes are not enough to workaround Symantec's
vulnerable software.
2007-Aug-29 - Symantec says they've made suggestions to Apple, but
otherwise aren't going to do anything to fix this issue (see the quote
in the previous section)
2007-Oct-01 - It turns out that Apple's Leopard builds at the time
didn't do enough to cover up the vulnerability in NAV
2007-Oct-11 - Contacted Symantec and Apple to let them know I was
going to post this Nov-1
2007-Nov-1 - Today.

== Details ==

SmallScanner is run as root by the setuid-root binary
/Library/Application
Support/Symantec/AntiVirus/DiskMountNotify.app/Contents/MacOS/DiskMountNotify.
E.g. after inserting a data cdrom:
root 8734 28.9 -2.1 616152 43596 ?? U 7:51PM 0:16.13
/Library/Application
Support/Symantec/AntiVirus/SmallScanner.app/Contents/MacOS/SmallScanner

Unfortunately /Library/Application Support/ is writable by group admin and by
mv'ing the Symantec subdirectory out of the way and installing a tree of
symlinks in its place except for malware in place of SmallScanner arbitrary
code can be executed as root. That is you can trampoline from group admin to
user root. (There were a variety of other ways to do this that were coming out
of the woodwork back in January.)

Using the symlink method described above to replace SmallScanner with
the following shell script...
<<EOF
#!/bin/sh

touch /tmp/uhoh.this.is.very.bad.news
exec /Library/Application\ Support/Norton\ Solutions\ Support/Norton\
AntiVirus/SmallScanner.app/Contents/MacOS/SmallScanner
EOF

And then inserting a disk (or using hdiutil to mount a disk image)
results in normal looking behavior along with a new file...
-rw-r--r-- 1 root wheel 0 Jan 15 20:10 /tmp/uhoh.this.is.very.bad.news

== Etc. ==

I'd like to thank the Apple Product Security team for being more
forthright in their communication with me on this issue, it was a lot
better than my previous interactions. I'd like to apologize to all the
users that have been unknowingly insecure for the past 289 days, I
think I like full disclosure better too given the way vendors seem to
drag their feet.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/