[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication bypass and root access on Apple Mac OS X

To: David Wharton <security@xxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication bypass and root access on Apple Mac OS X
From: "Kevin Finisterre (lists)" <kf_lists@xxxxxxxxxxxxxxxxxxx>
Date: Mon, 26 Nov 2007 11:47:07 -0500

I don't recall off the top of my head what they were but there are  
other ways to use this program to obtain root. I believe the scheduled  
recording can be used to leverage root if I remember correctly.
-KF

On Nov 26, 2007, at 10:15 AM, David Wharton wrote:

> Version 1.0
> October 1996
>                       CERT(R) Coordination Center
>               Product Vulnerability Reporting Form
>
> CONTACT INFORMATION
> = 
> = 
> ======================================================================
> =======
>
>  Name                 : David Wharton
>  E-mail                       : security@xxxxxxxxxxxxxxx
>  Phone / fax          :
>  Affiliation and address: Information Security Graduate Student at
> Georgia Tech (http://www.cc.gatech.edu/education/grad/ms-infosec)
>
>
> Have you reported this to the vendor?  [yes/no] yes
>
>         If so, please let us know whom you've contacted:
>
>       Date of your report     : 5 Apr 2007
>       Vendor contact name     : Pedro Muniz
>       Vendor contact phone    :
>       Vendor contact e-mail   : techsupport@xxxxxxxxxxxxxx (April 5, 2007),
> pmuniz@xxxxxxxxxxxxx (April 18, 2007, May 10, 2007)
>       Vendor reference number :
>
>
> POLICY INFO
> = 
> = 
> ======================================================================
> =======
> We encourage communication between vendors and their customers.  When
> we forward a report to the vendor, we include the reporter's name and
> contact information unless you let us know otherwise.
>
> If you want this report to remain anonymous, please check here:
>
>       ___ Do not release my identity to your vendor contact.
>
>
> TECHNICAL INFO
> = 
> = 
> ======================================================================
> =======
> If there is a CERT Vulnerability tracking number please put it
> here (otherwise leave blank): VU#______.
>
>
> Please describe the vulnerability.
> Summary:
> MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication
> bypass and root access on Apple Mac OS X.
>
> Details:
> MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR is the software that ships
> with MyTV, a Personal Video Recorder (PVR) manufactured by Escape
> Labs (http://www.eskapelabs.com/mytv.html).  MyTV.PVR is an external
> hardware device that connects to a computer via USB.  The PVR
> hardware can receive infrared signals and this is designed to support
> input from a channel changer.  However, when a computer running MyTV/
> x version 3.6.6 or 4.0.8 on Apple Mac OS X (I have confirmed this is
> true for 10.4.9-10.4.11 but dot not know about other versions of OS
> X) starts up, a local user can, without authenticating, cause the
> MyTV/x software to launch as root.  When the program launches, it
> brings up the MyTV/x menus along with the Apple menu.  From the Apple
> menu, you can open up System Preferences and because you are running
> as root, you can add (and remove) users, including Administrators.
> After fooling around with it, I was able to get to the Finder, open a
> shell, and verify that root access had been gained.
>
> Steps To Reproduce:
> 1) Install MyTV/x Version 3.6.6 or 4.0.8 and attach (and power on)
> MyTV.PVR.
> 2) (Re)boot.
> 3) When the authentication "window" comes up asking you to log in to
> OS X, point the channel changer (this is included with MyTV.PVR) at
> the PVR device and press the "Power" button.
> 4) MyTV/x launches (as root) and gives access to the Apple menu which
> gives access to the entire computer.
>
> What is the impact of this vulnerability?
> - -----------------------------------------
>
>    a) What is the specific impact:
>       Local user can gain root access without doing any authentication
>    b) How would you envision it being used in an attack scenario:
>       Well, you have to have physical access and be running the vulnerable
> software as well as its associated hardware but if the situation is
> right, root access can be gained and then there are a myriad of
> possibilities....
>
> To your knowledge is the vulnerability currently being exploited?
> - -----------------------------------------------------------------
>       [yes/no] no
>
> If there is an exploitation script available, please include it here.
> -  
> ---------------------------------------------------------------------
>
> Do you know what systems and/or configurations are vulnerable?
> - --------------------------------------------------------------
>       [yes/no]  (If yes, please list them below)
>       
>       yes
>       
>       System          : Apple Mac
>       OS version      : 10.4.9, 10.4.11
>       Verified/Guessed: verified 10.4.9, 10.4.10, 10.4.11, guessed 10.x
>
>       Software: MyTV/x Version 3.6.6 (http://www.eskapelabs.com/files/CD-
> MYPVR-V1.4.dmg.gz)
>                 MyTV/x Version 4.0.8
>
> Are you aware of any workarounds and/or fixes for this vulnerability?
> -  
> ---------------------------------------------------------------------
>       [yes/no] (If you have a workaround or are aware of patches
>             please include the information here.)
> no
>
>
> OTHER INFORMATION
> = 
> = 
> ======================================================================
> ===
> Is there anything else you would like to tell us?
>
> Some pictures of root access without authenticating are available
> upon request.  I spoke with Apple about this vulnerability and they
> said, "Mac OS X applications running as root are allowed to display
> UI even when no user is logged in."  Apple encouraged me to continue
> to work with CERT and Escape Labs on this issue.
>
> - --------
> CERT and CERT Coordination Center are registered in the U.S. Patent
> and Trademark office.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication bypass and root access on Apple Mac OS X
  - From: David Wharton

Prev by Date: Re: [Full-disclosure] RealNetworks RealPlayer ierpplug.dll ActiveX Control Multiple Stack Overflows
Next by Date: [Full-disclosure] To Hell With Georgia
Previous by thread: [Full-disclosure] oh oh 0 day - MyTV/x Version 3.6.6 & 4.0.8 for MyTV.PVR allows local authentication bypass and root access on Apple Mac OS X
Next by thread: [Full-disclosure] Eee PC Security
Index(es):
- Date
- Thread