Mac OS X root sliplogin permission error leads to root
Fixed: Mac OS X 10.1.4
Mac OS X 10.1.3 and prior)
The problems lies within the file /usr/sbin/sliplogin (sliplogin) bundled with versions of Mac OS X prior to 10.1.4 due to the permissions defined and a buffer overflow. The system can be taken control of if a non-administrative user were to overflow the program giving them permissions as a root user. This issue has been taken care of in 10.1.4 system security update, if you have not yet updated do so now.
A unix styled exploit for the Macintosh! This is not the first one found out there, in every update performed that deals with security many of these permission issues that lead to insecurities are fixed for you. The fix provided in this document is simple, one line to type into the console and the problem is resolved. If you have yet to update your current version of Mac OS X to the current you may still be vulnerable. This bug was found in 10.1.3, and fixed in 10.1.4.
Even if you have never logged into your console/terminal before and you just utilize the graphical interface take a few minutes to educate yourself on this process and fix the problem.
What is sliplogin?
Sliplogin is used to turn the terminal line on standard input into a Serial Line IP (aka SLIP) link to a remote host. – from man page. The sliplogin is bundled with Mac OS X and can be accessed via the console command line.
Mac OS X system prior to Mac OS X 10.1.4 fall vulnerable to this security issue described below.
[localhost:~] duke_fsc% ls -al /usr/sbin/sliplogin
-r-sr-xr-x 1 root wheel 14700 Dec 8 10:49 /usr/sbin/sliplogin
[localhost:~] duke_fsc% sliplogin `perl -e ‘print “A” x 9000’`
[localhost:~] duke_fsc% uname -a
Darwin localhost 5.3 Darwin Kernel Version 5.3: Thu Jan 24 22:06:02 PST
2002; root:xnu/xnu-201.19.obj~1/RELEASE_PPC Power Macintosh powerpc
[localhost:~] duke_fsc% id
uid=501(duke_fsc) gid=20(staff) groups=20(staff), 0(wheel), 80(admin)
As root user you can type the following command to fix the problem, or perform a security/system software update to resolve the issue. Apple quickly and quietly fixed this issue for their customers:
chmod 0555 /usr/sbin/sliplogin