
MS Office exploit that targets MacOS X seen in the wild - cooldeal
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/
======
lloeki
> An attacker could then install programs; view, change, or delete data; or
> create new accounts with full user rights. Users whose accounts are
> configured to have fewer user rights on the system could be less impacted
> than users who operate with administrative user rights.

I don't quite understand this. Form the article it looks like the trojan
escapes the word document to execution realm through your typical
vulnerability. Fair enough. But so far it looks like it only has rights
corresponding to the user.

So as far as i understand it, this needs a privilege escalation vulnerability
to 'take complete control' and 'create new accounts'.

It seems to copy itself to /Library/launched though, which here is

    
    
        drwr-xr-x+ 65 root wheel 2210 Feb  2 14:45 /Library
    

So it looks like it's going root at some point, but it's not described in the
document. But since it has root, why would ' Users whose accounts are
configured to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights'?

~~~
davidwtbuxton
You are most likely running 10.7 and it was installed clean. Previous versions
of Mac OS X made that directory group-writeable by default (and 10.7 upgraded
from a previous system will keep the old permissions).

Here's the line for 10.6:

    
    
        drwxrwxr-t+ 61 root  admin      2074  3 Nov 18:12 /Library

~~~
dubya
The system I'm on now was upgraded to 10.7 from 10.6 recently and has

    
    
      drwxr-xr-x+ 69 root  wheel      2346 Feb 29 12:14 Library

~~~
davidwtbuxton
Interesting, it could be my 10.6 system was an upgrade from 10.5. Might have
to boot my PowerPC MacMini and see what it says...

------
rbarooah
This is why we need sandboxing on the mac. I wonder whether there are
particular barriers for Microsoft to add that sooner rather than later?

------
a2tech
Who else is with me on this? Fucking MS Office.

