MAAS History
Disclaimer
exocrine exocrine

All information Provided as is.

Entries by Sean OConnell Public (117)

Friday
Aug302013

Condition Remains GREEN

A denial of service (DOS) condition exist within CoreTEXT API. When a specific combination of Unicode characters are loaded in an application, for example one based on WebKit, the application will crash. The combination impacts a host of applications on Mac OSX and iOS including Safari, Chrome, Twitter, Mail and TextEdit. (Any application dependent on CoreText API.)

Currently there is no exploit related to the crash. Each application handles the Text Encoding in Mac OSX, thus the settings are application dependent. You should only make changes if you encounter a DOS condition related to the character set. iOS7beta and Mavericks beta are not impacted.

Mitigation In Safari

  • Change the Text Encoding in Safari

Set View>Text Encoding to Western (Mac OS Roman) <@charset "macintosh"> if you encounter this error. The offending page wil then load. 

Mitigation In Text Edit

  • Change the Text Encoding in Text Edit if you encounter the error.

TextEdit>Preferences>Open and Save>Encoding>Mac OS Roman


Individuals are creating a DOS condition on sites by pasting the combination in to comments. Several providers have limited users from being able to post the combination including Facebook, Twitter and Google. iOS 7 Beta and Mac 10.9 Beta currently are unaffected
 

Friday
Aug302013

Condition Remains GREEN

Rapid7 has release a Vulnerability notice for CVE-2013-1775 which under specific conditions a user can gain super user using the "-k" option of the sudo command. There is little risk from this exploit, hence why Rapid7 released it. When using the sudo command there is a default time before the environment resets resulting in an authentication time out. You can adjust the defaults using visudo. You should always do basic computing as a non-administrator which limits the risk from this kind of privilege escalation. 

Summary of Conditions to be Effective

  • The user must be in the Administrator group, basically an administrator.
  • The user must have run the sudo command, in the /etc/sudoers file. (Note-group execution bit.)
  • sudo authentication must not have timed out. (Important for Servers with custom /etc/sudoers)
  • sudo -k option flaw reliant on settings in /etc/sudoers. 

Primary Mitigation For All Users

These trivial mitigation steps prevent changing the System Time thus making the vulnerability ineffective.

  • Make sure that "Set date and time automatically is on" in System Preferences>Date &Time. (Critical setting to mitigate.)
  • Make sure that "Require an administrator password to access locked preferences" in on in Security & Privacy>Advance. (Critical setting to mitigate.)
  • Make sure that system preference "Click lock.." is set to LOCK. (Critical setting to mitigate.)

 

Mitigation For Advanced Configurations 

These Mitigation methods can be useful for Sever Administrators in a complex server environment.

  • Do not do general computing as an administrator account. 
  • Make sure that "Set date and time automatically is on" in System Preferences>Date &Time. (Critical setting to mitigate.)
  • Make sure that "Require an administrator password to access locked preferences" in on in Security & Privacy>Advance. (Critical setting to mitigate.)
  • Make sure that system preference "Click lock.." is set to LOCK. (Critical setting to mitigate.)
  • You can alter sudo timeout using visudo, this long with a host of other setting . For example you can set the default sudo timeout (env_reset defaults) to 2 minutes using the "timestamp_timeout" variable. See man page for more options. (Advanced & Server users..)
  • Set Require password immediately. 
  • Enterprise users should audit privileges, set restrictions in /etc/sudoers, review group and user execution bits for critical files related to sudo.

  For more information visit the man page for sudo, visudo.