Date: 16 March 2004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2004.0210 -- Macromedia Security Bulletin
Potential Security Risk with Macromedia E-Licensing Client Activation Code
16 March 2004
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: All Macromedia MX 2004 products
Contribute 2
Publisher: Macromedia
Operating System: Mac OS X
Impact: Increased Privileges
Access Required: Existing Account
- --------------------------BEGIN INCLUDED TEXT--------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Bulletin:
Potential Security Risk with Macromedia E-Licensing Client
Activation Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Summary:
Macintosh versions of the Macromedia installers and
e-licensing client install a service whose file permissions
allow "other" users to write to the file. This may allow one
local user to obtain the permissions of another local user
(including an admin user). This leads to a threat typically
classified as Privilege Escalation.
This potential vulnerability affects only products installed
on machines with multiple users. Further, it does not appear
to be a threat under typical installation of Macromedia
products where the computer's only user is already considered
the administrator.
~~~~~~~
Solution:
A patch can be downloaded from the Macromedia website to
protect users of current versions of Macromedia products:
http://www.macromedia.com/go/DMJL_AAAZ
Alternatively, a work-around is described in the "Making
the Changes" section of this bulletin.
~~~~~~~
Affected Software Versions:
All supported Macintosh versions of Macromedia MX 2004
products as well as Contribute 2 may be affected.
~~~~~~~
Severity Rating:
Macromedia categorizes this issue as a Moderate update
(see http://www.macromedia.com/go/DMJL_AABA) and recommends
that administrators of systems supporting multiple users
apply the patch located at:
http://www.macromedia.com/go/DMJL_AABB
~~~~~~~
Details:
Macintosh OS X versions of the Macromedia installers and
e-licensing client install the 'AuthenticationService'
as an SUID service whose file permissions allow "other"
users to write to the file. By default, these permissions
allow the code in the service to be changed by any local
user. In the event of modification by any non-admin user,
the operating system removes the SUID property.
The current behavior of Macromedia products using this
service mitigates all known attack vectors. All current
Macromedia products detect the file change, refuse to
execute the modified service, and reinstall the original,
unmodified binary. Therefore, a successful exploitation
requires the attacker to cause another user to execute
the service independent of any Macromedia product.
If the AuthenticationService file is manually deleted, a
reapplication of the patch may be required.
~~~~~~~
Making the Changes:
With an admin account and password, permissions on the
file can be manually changed to resolve this problem.
Activate a Terminal session and type in the following
command.
sudo chmod 4775 "/Library/Application Support/Macrovision/
AuthenticationService"
Enter your admin user password at the prompt and then
the command will run and set the permissions on the file.
NOTE: Back up your existing files before making changes.
As always, test the changes in a nonproduction environment
before applying the changes to production servers.
~~~~~~~
Acknowledgements:
Macromedia would like to thank Chris Irvine of Dark Horse
Comics, Inc. for reporting this vulnerability and for
working with us to help protect our customers' security.
~~~~~~~
Reporting Security Issues:
Macromedia is committed to addressing security issues and
providing customers with the information on how they can
protect themselves. If you identify what you believe may
be a security issue with a Macromedia product, please
send an e-mail to secure@macromedia.com. We will work to
appropriately address and communicate the issue.
~~~~~~~
Receiving Security Bulletins:
When Macromedia becomes aware of a security issue that we
believe significantly affects our products or customers,
we will notify customers when appropriate. Typically this
notification will be in the form of a security bulletin
explaining the issue and the response. Macromedia customers
who would like to receive notification of new security
bulletins when they are released can sign up for our
security notification service.
For additional information on security issues at Macromedia,
please visit:
http://www.macromedia.com/security.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES
PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY
OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY)
SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES,
SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.
IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE
FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION,
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE,
COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR
LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY
INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT
(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN
IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA
ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE
EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO
HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE.
Macromedia reserves the right, from time to time, to update
the information in this document with current information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQFZHnih9+71yA2DNAQIBkQP+NTm/JsV3rPDjJ3QK8WOOAErt2V4smDhq
1u4u+q+xLR9SKP1i9vtMiVG+cROaU3WT6i6zkz6F5sR8R4jT40JSxI5vN0PRBZDs
TgyT0LZJi5fA2jbXrdTU4wolBKPjlAcrVbuDq+myVFbCBdEOdoXz06N+S9YLPaU/
8398Lhm3w6g=
=ig7F
-----END PGP SIGNATURE-----
|