14th Apr 2003 [SBWID-6147]
COMMAND
	DirectoryService privilege escalation and DoS attack
SYSTEMS AFFECTED
	MacOS X (10.2.4 and below)
PROBLEM
	In @stake advistory a041003-1 [http://www.atstake.com],  Dave  G.  found
	following:
	 Overview
	 ========
	DirectoryServices is part of the MacOS X information and  authentication
	subsystem. It is launched at  startup,  setuid  root  and  installed  by
	default. It is vulnerable  to  several  attacks  ultimately  allowing  a
	local user to obtain root privileges.
	 Details
	 =======
	During the startup of DirectoryService, the application creates  a  lock
	file by executing the touch(1) UNIX command. It executes  touch  through
	the system() libc function. This function  is  inherently  insecure  and
	its use is strongly discouraged in privileged applications.
	Since this call to  system()  does  not  specify  a  full  path  to  the
	touch(1) command, it is possible for an  attacker  to  modify  the  PATH
	environment variable to specify a directory containing her  own  version
	of  the  touch(1)  command.  In  this   instance,   this   would   cause
	DirectoryService to execute arbitrary commands as root.
	In order for an attacker to exploit this vulnerability, they must  first
	cause DirectoryServices  to  terminate.  This  can  be  done  by  simply
	connecting to port 625 repeatedly using an automated program.
SOLUTION
	 Vendor Response
	 ===============
	Directory  Services:  Fixes  CAN-2003-0171  DirectoryServices  Privilege
	Escalation and DoS Attack. DirectoryService is part of the Mac OS X  and
	Mac OS X Server  information  services  subsystem.  It  is  launched  at
	startup, setuid root and installed by default.  It  is  possible  for  a
	local attacker to modify an environment variable that  would  allow  the
	execution of arbitrary commands as root. Credit to Dave G. from  @stake,
	Inc. for the discovery of this vulnerability.
	 @stake Recommendation
	 =====================
	@stake recommends that user upgrade to Mac OS X 10.2.5.
	 Common Vulnerabilities and Exposures (CVE) Information
	 ======================================================
	The Common Vulnerabilities and Exposures (CVE) project has assigned  the
	following names to these issues. These are candidates for  inclusion  in
	the  CVE  list  (http://cve.mitre.org),  which  standardizes  names  for
	security problems.
	
	  CAN-2003-0171  Directory Services Privilege Escalation and DoS
	                 Attack