06 January 2007

MoAB Day 5 Fix Script

The fix for day 5’s bug sadly can’t be affected through runtime patching alone. It requires changing the permissions on disk of a number of files and directories which are vulnerable to being edited by default. I’m providing scripts you can run in Terminal.app to change these permissions to safe values.

You can run these scripts in Terminal.app as root using sudo:
sudo /usr/bin/python bom-safety.py

It’ll print a message when it is done or if it encounters a problem.

Finlay Dobbie pointed out that certain Apple installers like X11.app or XCode Tools may change these permissions back to vulnerable values again.

In order to re-run the bom-safety script you must rename the backup it creates at /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom.orig.

  • Set the sticky bit on /Library/Receipts

  • Set the sticky bit on the paths down to each of the critical BOMs

  • Unset the group-write bit on the critical BOMs

  • Create root-owned 0-length place holders for critical BOMs/paths
    that don’t exist

  • Backup /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom

  • Make a 1-bit change to the
    /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom file that causes
    repair permissions to keep the sticky bit set on /Library/Receipts
    rather than removing it.

  • Print a completed message

As always, you shouldn’t run code when you can’t understand it yourself, trust someone who understands it, or trust the author of the code. For those wondering if I actually wrote the code downloadable above I am providing GPG signatures above for your review. Ironically, the current available GnuPG for Mac has a code execution security hole since early December. I’m building new universal binaries of GPG now and will post them later today.

1 comment:

Anonymous said...
This comment has been removed by a blog administrator.