CVE-2003-0171
Description
DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
23cpe:2.3:o:apple:mac_os_x:10.0:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:o:apple:mac_os_x:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.1.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.1.4:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.1.5:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:10.2.4:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x_server:10.0:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:o:apple:mac_os_x_server:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.2.3:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x_server:10.2.4:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
Root cause
"The DirectoryService component in MacOS X trusts the PATH environment variable to locate the touch command."
Attack vector
A local user can exploit this vulnerability by modifying the PATH environment variable to include a directory containing a malicious program named 'touch'. When DirectoryService is executed, it will search the modified PATH and execute the malicious 'touch' program instead of the legitimate one. This allows the attacker to execute arbitrary commands with elevated privileges, as demonstrated by the exploit code which sets the effective user ID to root and executes a shell [ref_id=1].
Affected code
The vulnerability lies within the DirectoryService component of MacOS X. Specifically, the code relies on the PATH environment variable to locate and execute the 'touch' command. The provided exploit code demonstrates modifying the PATH and then executing DirectoryService, which in turn leads to the execution of a custom 'touch' program [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability was fixed. However, the general recommendation for such vulnerabilities is to ensure that programs are executed using their absolute paths or to sanitize the PATH environment variable before executing external commands.
Preconditions
- inputThe attacker must have local access to the affected system.
- inputThe DirectoryService must be in a state where it can be executed or is being executed by a privileged user.
Reproduction
Assuming DirectoryService has been crashed/killed, compile this code as 'touch' (gcc osxds.c -o touch) and execute. bash$ ./touch *bunch of stuff here* euid is root. bash#
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.