A few weeks ago my Vaio toasted out. I’ve been using an old Dell laptop as a replacement, which was previously being used as a NAS server box. To replace the NAS, I dusted off my sister’s old Macbook and tried to wrestle OS X into shape, including writing a patch for rsync to deal with OS X’s awful UTF-8 semantics (NFC vs NFD), but this is for another post. While waiting for things to transfer, I was auditing my colo, and I typed find / -type f -perm -4000 into the Mac’s SSH session by accident. Before I could Ctrl+C out of it, I noticed “hey, weird, why’s Tunnelblick need an SUID helper?”.
Coincidentally, a friend was just touting the high quality UNIX tools OS X has to offer. I was skeptical.
When either Viscosity or Tunnelblick is installed, an unprivileged user can elevate permissions to become root (the Administrator user).
Here are the relevant links:
|Tunnelblick Vulnerability||Viscosity Vulnerability|
|CVE Assignment for Tunnelblick|
|CVE-2012-3483||1. A race condition in file permissions checking can lead to local root. – TOCTOU|
|CVE-2012-3484||2. Insufficient checking of merely 0:0 744 can lead to local root on systems with particular configurations.|
|CVE-2012-3485||3. Insufficient validation of path names can allow for arbitrary kernel module loading, which can lead to local root.|
|4. Insufficient validation of path names can allow execution of arbitrary scripts as root, leading to local root.|
|5. Insufficient path validation in errorExitIfAttackViaString can lead to deletion of files as root, leading to DoS.|
|CVE-2012-3486||6. Allowing OpenVPN to run with user given configurations can lead to local root.|
|CVE-2012-3487||7. Race condition in process killing. – TOCTOU|
|CVE Assignment for Viscosity|
|CVE-2012-4284||Insufficient validation of path names can allow execution of arbitrary python code as root, leading to local root.|