Mac OS X Security update is now in your Software Update control panel:

Security Update 2003-08-14 addresses a potential vulnerability in the fb_realpath() function which could allow a local or remote user to gain unauthorized root privileges to a system.

Anybody in the know know what the fb_realpath() function actually is? I'm curious. :)

My thread got tossed. :(

Anyway, I installed it, even though I have no idea what it does or means. No problems so far. But then again i didn't see a problem to begin with. :rolleyes:

Issue:
======


Wu-ftpd FTP server contains remotely exploitable off-by-one bug. A local
or remote attacker could exploit this vulnerability to gain root
privileges on a vulnerable system.



Details:
========


An off-by-one bug exists in fb_realpath() function. An overflow occurs
when the length of a constructed path is equal to the MAXPATHLEN+1
characters while the size of the buffer is MAXPATHLEN characters only.
The overflowed buffer lies on the stack.


The bug results from misuse of rootd variable in the calculation of
length of a concatenated string:


------8<------cut-here------8<------
/*
* Join the two strings together, ensuring that the right thing
* happens if the last component is empty, or the dirname is root.
*/
if (resolved[0] == '/' && resolved[1] == '\0')
rootd = 1;
else
rootd = 0;


if (*wbuf) {
if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) {
errno = ENAMETOOLONG;
goto err1;
}
if (rootd == 0)
(void) strcat(resolved, "/");
(void) strcat(resolved, wbuf);
}
------8<------cut-here------8<------


Since the path is constructed from current working directory and a file
name specified as an parameter to various FTP commands attacker needs to
create deep directory structure.


Following FTP commands may be used to cause buffer overflow:


STOR
RETR
APPE
DELE
MKD
RMD
STOU
RNTO


This bug may be non-exploitable if size of the buffer is greater than
MAXPATHLEN characters. This may occur for example if wu-ftpd is compiled
with some versions of Linux kernel where PATH_MAX (and MAXPATHLEN
accordingly) is defined to be exactly 4095 characters. In such cases,
the buffer is padded with an extra byte because of variable alignment
which is a result of code optimization.


Linux 2.2.x and some early 2.4.x kernel versions defines PATH_MAX to be
4095 characters, thus only wu-ftpd binaries compiled on 2.0.x or later 2.4.x
kernels are affected.



Exploit:
========


We investigated and successfully exploited this vulnerability on x86 based
Linux system running 2.4.19 kernel. We believe that exploitation of other
little-endian systems is also possible.



Impact:
=======


Authenticated local user or anonymous FTP user with write-access could
execute arbitrary code with root privileges.

It sounds like this is a security fix for the "just in case", it may never be an issue, but it's good that Apple is finding and addressing any possible problems so we don't end up with a potential security risk.

Originally posted by Powerbook G5
It sounds like this is a security fix for the "just in case", it may never be an issue, but it's good that Apple is finding and addressing any possible problems so we don't end up with a potential security risk.

Especially with such hi-profile worms on the web moving around causing disruptions... albeit to windows machines, but who's to say the next one to come out doesn't try and exploit this?

Originally posted by Mudbug
Especially with such hi-profile worms on the web moving around causing disruptions... albeit to windows machines, but who's to say the next one to come out doesn't try and exploit this?

But if you're not running ftp and your firewall blocks the port isn't this not really an exploit?

I haven't examined the bug in depth, but it gave me a scare, so I thought I'd just give you guys my notes.

Originally posted by jaedreth
We believe that exploitation of other
little-endian systems is also possible.

I doubt they would phrase it like that unless they believed that the problem was restricted to little-endian systems. Macs are big-endian.

Also, keep in mind that this is only applicable to you if you run FTP with a guest/anonymous login with write privileges, or don't trust one of your user accounts with root access.

Other than that, seems pretty scary. Remote root exploits are the worst kind.

There is a list of unix commands that can be run in such a way to create the exploit, and thus, even with firewall on and ftp off, it is possible for a user of the computer (who is not admin) to run a file in such a way to gain access.

So since it is possible for a non Admin user to gain Root access via the exploit, it is a very serious security risk.

Please update immediately.

Thank you.

Jaedreth

Am I wrong or is this similar to the vulnerability that was discovered in the Windows systems?

They both use a buffer overflow and they both allow an unauthorized user to execute code on the target machine -- right?

Is there some reason why the *nix version of the buffer overflow vulnerability is less of a concern that it is/was for the Windows systems?

"Little-endian"? "Big-endian"? Is this explainable in a sentence or two?

I would love a bit of coaching on this if anyone's so inclined...

Originally posted by jaedreth
There is a list of unix commands that can be run in such a way to create the exploit, and thus, even with firewall on and ftp off, it is possible for a user of the computer (who is not admin) to run a file in such a way to gain access.

Uhhh...and what exactly would that "list of unix commands" be?

The exploit is in fb_realpath, a function in the FTP daemon.

BTW, here's some exploit code:
http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-08/0010.html

Anyone wanna try this against one of their own systems?

Originally posted by idea_hamster
Am I wrong or is this similar to the vulnerability that was discovered in the Windows systems?

They both use a buffer overflow and they both allow an unauthorized user to execute code on the target machine -- right?

Is there some reason why the *nix version of the buffer overflow vulnerability is less of a concern that it is/was for the Windows systems?

You're right, they are fundamentally the same coding error.

In this case, the UNIX version is less of a problem because you need certain access to get to the point where you can cause the overflow. On the Windows exploit, it is very easy to get to that point, and you don't need any privileges on the target machine.

In a way, it is due to the philosophical differences; on Unix-like machines, you typically can't get very far "in the code" without having some sort of permission, either enabled by the owner of the machine, or granted through a user account.

"Little-endian"? "Big-endian"? Is this explainable in a sentence or two?

Internal byte order. Google is your friend.
http://info.astrian.net/jargon/terms/l/little-endian.html

Like I said, I haven't looked at the bug in depth, so I don't know how this applies here, but you don't usually bring that kind of stuff up unless it has something to do with the issue at hand.

How prompt is Apple about incorporating Darwin security fixes? What I'm wondering is, when a Unix security flaw that applies to Darwin is discovered by others and reported on the Internet, is Apple pretty quick to apply the patch and issue a Security Update?

When was that report posted, jaedreth?

The report I quoted was posted on the 10th of August, this year.

Four days, not bad for Apple.

Jaedreth

I say that Apple was pretty quick with the patch, especially considering they have their hands with with multiple projects as is.

WOW!!!!! FIX EVERYTHING

Originally posted by idea_hamster
[B]Am I wrong or is this similar to the vulnerability that was discovered in the Windows systems?


Similar ... but totally dissimilar :)

This bug is limited to those who run FTP software. The patch is pretty minor, and -- whilst theoretically quite nasty -- it does not replicate itself.

[edit: if this is the same bug as that which led to the r00ting of the GNU FTP server, then it's not theoretical any more.]

I've spent the past few days dealing with the MSBlast worm at work. This flaw caused the RPC server process (an integral part of the Microsoft Networking system) to fail. Windows' default response to this was a mandatory, non-cancellable reboot. Systems would not stay online long enough to download or serve the patch to them.

The Unix bug appears to affect a particular piece of FTP server software (apologies if this is incorrect - I need to read up on it). Are you free to use another FTP server? Of course! Could you use a different RPC server for Windows? Not a chance.

Antivirus software was fully up-to-date and functioning, but not particularly useful. It would detect and remove the worm, but because of the flaw, the machine would be reinfected within minutes.

Quite a headache, but we're sorted now. You're probably wondering why we weren't already patched. Only a very very brave admin configures Windows workstations to automatically apply MS patches. Chances are, you'll come in to work one morning and find every machine's unable to run one of your vital apps, or a setting's been changed 'for security', disabling something you've got set up on purpose.

We're implementing Software Update Services over the next few days to allow us to easily test, approve and distribute patches.

Gimme a break - I've only been there a month ;) I can't start surreptitiously replacing Dells with Xserves just yet.

Just to bring things back on topic: OS X and other Unices, by their very design, have great advantages over Windows in these sorts of situations. Unix is 'shallow and wide' -- many task specific components working together, but not necessarily dependent upon each other, to form the whole environment. Windows is 'deep and narrow' - a precarious house of cards, where too many assumptions are made by the system about its own state. Guess which is more tolerant of faults and which is easier to fix with a good degree of certainty about the stability of the system after the fix is applied?

Administering Windows networks is a bit like trying to sword-swallow while someone's tickling your feet.

(And if that's not the weirdest analogy I come up with this week, I'll buy a hat and eat it.)

Originally posted by Powerbook G5
I say that Apple was pretty quick with the patch, especially considering they have their hands with with multiple projects as is.

that suggests that the creative department is charge of software updates as well as apple legal. I bet they have people who deal soley with this stuff.

Prompt security updates are almost always a good thing, but I can see a slight downside. Those with broadband connections can simply accept regular updates and not think twice, in a sense letting Apple be their security manager, keeping the O.S. up to date no matter how often these changes show up.

But imagine if there were updates every day or two. Low-speed (modem) users would have to check the size and description of each patch to decide if they want to take the time to download it, or whether to wait for yet another patch that might supercede it later anyway. If they weren't at risk for that particular security flaw (which is hard to judge if you aren't technical enough), they'd likely skip it.

I'm not blaming Apple. I think they are making the right choice: offer updates promptly, describe them, and let users decide when to install them.

Originally posted by simX
Anybody in the know know what the fb_realpath() function actually is? I'm curious. :)

"The realpath(3) function is used to determine the canonical, absolute pathname from a given pathname which may contain extra ``/'' characters, references to ``/./'' or ``/../'', or references to symbolic links."

Taken from :

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:08.realpath.asc

Originally posted by jaedreth
The report I quoted was posted on the 10th of August, this year.

Four days, not bad for Apple.


The bug was posted to the FreeBSD security list on the 4th, so 10 days, but still not bad.

Originally posted by Alexander
The exploit is in fb_realpath, a function in the FTP daemon.

The bug is in the C function realpath, part of the FreeBSD standard libraries, which i assume wu-ftpd borrowed and renamed fb_realpath. It is not limited to ftp servers, but as jaedreth mentioned, may affect a large list of software (stressing the may, since it depends how the software uses the function). The FreeBSD advisory above has a list of applications that use realpath.

Whether other applications are affected on OS X is another matter, but potentially it's serious.

I just did a quick search. I was surmising that it would affect BSD systems as well, since it affected OS X, and turns out I was right. Thanks again, great info.

Jaedreth

awwww, nuts. now i have to spoil the uptime on my ftp server.

6:53PM up 86 days, 16:12, 2 users, load averages: 1.71, 1.74, 1.66

Originally posted by Doctor Q
Prompt security updates are almost always a good thing, but I can see a slight downside. Those with broadband connections can simply accept regular updates and not think twice, in a sense letting Apple be their security manager, keeping the O.S. up to date no matter how often these changes show up.

But imagine if there were updates every day or two. Low-speed (modem) users would have to check the size and description of each patch to decide if they want to take the time to download it, or whether to wait for yet another patch that might supercede it later anyway. If they weren't at risk for that particular security flaw (which is hard to judge if you aren't technical enough), they'd likely skip it.

I can see your point, but most of these security issues really only become a problem or risk when using a full time broadband connection. So being on dial-up saves you in a way. Did you know you can take your computer to any Apple store and hook up to get updates? Call ahead, and they will take care of you at no charge. Toting in your PowerMac isn't as bad as it sounds.

I know this seems odd, but imagine my surprise.
In my home/Documents folder I have a subfolder named "Unstuffed". I have dircted Stuffit to place all of its results in this folder. It's been there for over a year. After running todays security update the subfolder was renamed "Documents", and a file called "Documents.1" was created in the original "Documents" folder. So now, in my home/Documents folder I have a subfolder called "Documents" (with the contents of the old "Unstuffed" folder) and a strange zero k file called "Documents.1".
Never seen that happen before.

Originally posted by Bob Knob
I can see your point, but most of these security issues really only become a problem or risk when using a full time broadband connection. So being on dial-up saves you in a way. Did you know you can take your computer to any Apple store and hook up to get updates? Call ahead, and they will take care of you at no charge. Toting in your PowerMac isn't as bad as it sounds.

<OT>
Now wouldn't it even be cooler if you could just dial into an Apple Store and get updates for free? :D
</OT>

10 days for Apple to respond isn't as bad as it sounds to me, at least. I guess they'd do some more tests of their own rather than just blindly copying the fixes from the community (or at least I'd like to think they'd to that). They are after all still maintaining v10.0, 10.1, 10.2, and 10.3.

But most users who don't have wu-ftpd up and running shouldn't be affected too much (unless there's another service/app that uses that same function). Also, has anyone tried replacing wu-ftpd with something "more" secure? I don't mean just downloading an app and running it instead of wu-ftpd, but have Apple's default choice point to another app instead.

Originally posted by zimv20
awwww, nuts. now i have to spoil the uptime on my ftp server.

no, you shouldn't have to. just patch it and kick ftpd down & up again, that's the *nix way ;) though apple patch installer may insist rebooting... thanks to "majority of users" who cannot add paper to printer without consulting technical support.

Originally posted by JFreak
no, you shouldn't have to. just patch it and kick ftpd down & up again, that's the *nix way ;)

ahhhhh, sweet unix.

but never mind -- i used the opportunity to get from 10.2.3 to 10.2.6.

Why on earth are there 15 positive and 15 negative??

Originally posted by Doctor Q
I'm not blaming Apple. I think they are making the right choice: offer updates promptly, describe them, and let users decide when to install them.

The only thing I don't like about these updates is that most of the time a reboot is required. And I love to check the uptime of my machine and say 'hmmm 32 days, what an OS' :D

some one posted about getting updates all the time well a couple of weeks ago i was in my local pc store and happend to be helping out as you do and was doing an update for windows xp within the space of 10 minutes there were 5 critical updates 12 system updates and 4 that were not really needed what got me was the system was brand new we were using a direct cable connection and the speed of the downloads was fine its the actual install situaitons that get me they take forever to install once there downloaded alos the fact that the updates were so close together and this happens nearly every day some fault here some bug there what the hell are they playing at over there at redmond maybe its just me but since i got in on the Mac Game i havent had to update to much and ive had the system for 2 months now and all is well i just update the system updates as i dont use many of the i software

I give Apple a solid 8/10 for the lack of updates needed

riiiiiiiiiiiight.

Anyway, this is good stuff. I'm always impressed with how fast Apple chucks out security updates after they're discovered, and there's so few of them :)

AppleMatt

Originally posted by iTag
some one posted about getting updates all the time well a couple of weeks ago i was in my local pc store and happend to be helping out as you do and was doing an update for windows xp within the space of 10 minutes there were 5 critical updates 12 system updates and 4 that were not really needed what got me was the system was brand new we were using a direct cable connection and the speed of the downloads was fine its the actual install situaitons that get me they take forever to install once there downloaded alos the fact that the updates were so close together and this happens nearly every day some fault here some bug there what the hell are they playing at over there at redmond maybe its just me but since i got in on the Mac Game i havent had to update to much and ive had the system for 2 months now and all is well i just update the system updates as i dont use many of the i software

Wow. Anybody know whether that sets a record for sentence length in this forum? ;)

(J/K, iTag.)

I just installed the security update and now excel and powerpoint launch but immediately "unexpectedly quit". Word appears to be unaffected, has anyone else experienced this problem, can anyone suggest a solution!?

Thanks, Alexander and displaced -- those responses to my super-basic security question are much appreciated! (Since I'm in downtown NYC, I read them....)

Originally posted by BaghdadBob
Why on earth are there 15 positive and 15 negative??

The funny thing is, Arn could post on the main page "Great news! I just won the lotto and I am giving every member of MacRumors $100!" and people would probably still rate the story as negative.

Not to be a troll... but is ftp ever going to function properly with OS X. This is such a basic thing...

I knew ftp before http (1993 or earlier). :rolleyes:

Troll! Flame him!

Only joking. I don't know to be honest, ftp always crashes on me in Jaguar unless I use a 3rd party app. To be honest I haven't tried it in Panther, but I will and report back.

It has been a major complaint though, I would be surprised if it was still an issue. Most other complaints (password on wake, labels etc) have been addressed.

AppleMatt

no, you shouldn't have to. just patch it and kick ftpd down & up again

Is this true, can anybody please confirm this? And how do I stop and start ftpd? I can start and stop the ftp server via the system preferences. Does this do the trick? With ftp running, and I know it worked, I've never seen anything called ftpd with top.
And does this bug only concerns the ftp server? I'm asking, since the finder can also mount ftp servers. Thanks for any help.
(I wouldn't mind having the software update sitting in the dock telling me to restart, I just don't want to ruin my uptime record.)

Aren't there occasions when you should need to restart Mac OS X but not Darwin, such as when OS X code (like the Finder) is affected but not the core O.S., or when a service (like ftpd) need only be turned off and on again? Are all these system restarts just a lazy, overkill approach to software updates? Should we be demanding a stop to unnecessary restarts?

Upon rebooting after installing the 8-14 security update, I am not able to compose an email without crashing. Anyone having similar problems?

javascript:smilie(':confused:')

Originally posted by Doctor Q
Should we be demanding a stop to unnecessary restarts?

Yes. It's lazy, un-necessary, causes more wear on internal components, drains battery life and creates unnecessary downtimes.

It's always annoyed me. Eliminating it would also give us another thing to brag about.

AppleMatt

Originally posted by rvlaha
Upon rebooting after installing the 8-14 security update, I am not able to compose an email without crashing. Anyone having similar problems?

javascript:smilie(':confused:')
No problems here.

Originally posted by Bob Knob
Did you know you can take your computer to any Apple store and hook up to get updates? Call ahead, and they will take care of you at no charge.

Hm, that's useful when the nearest Apple Store is just about 10.000km away ;)

Originally posted by manu chao
Is this true, can anybody please confirm this? And how do I stop and start ftpd? I can start and stop the ftp server via the system preferences. Does this do the trick? With ftp running, and I know it worked, I've never seen anything called ftpd with top.
And does this bug only concerns the ftp server? I'm asking, since the finder can also mount ftp servers. Thanks for any help.
(I wouldn't mind having the software update sitting in the dock telling me to restart, I just don't want to ruin my uptime record.)

The problem is not limited to ftp. It is in the BSD Kernel - in the core of the OS - and you do need to restart it if you patch around it. on all systems. ftp is just the most exposed element that is the easiest to attack.
however, reasting it doesn't neccessarely heal the flaw, as the ftp daemon calls a system function that only activates after reboot.

It might all not be as bad if the patch only applies to a module, but you'll have to reaload this by hand, restart all services that access it - virtually all in this case... and still not know if you forget something.

just reboot, for safeties sake.