Re: Apple Remote Desktop root vulneravility

---

• From: Mike Kuriger <m@xxxxxx>
• Date: Wed, 20 Sep 2006 15:07:27 -0700

---

if I'm reading this right, it looks like a non-logged in workstation
could be vulnerable to a local root use if an admin is running an remote
install. so the "attacker" would have to know that a remote operation
is going on and the "attacker" would need physical access. or I may
just be reading this wrong.

~mike~


Yannick von Arx wrote:

It seems so that the attacker needs a ARD enabled user plus vnc
password to access the client.
Then he can send an install command over "Manage > Send UNIX Command"

We're talking about ARD 3.0 so we've got the new feature to lock
client's screen with a message.
From my point of view it's not a vulnerability in ARD, just an
insecure point.

Regards,
Yannick von Arx

On 19.09.2006, at 19:32, Erik Lat wrote:

So in order for this vulnerability to be exploited, the attacker needs
to have a local account on the machine correct? Your exploitation
explanation
is a bit construed. Any more info / demostrations would be helpful.

-Erik

On 18 Sep 2006 21:26:52 -0000
fribitch@xxxxxxxxxxx wrote:

Background:
ARD allows unix commands to be remotely sent from an admin
workstation. These commands can be run as root, because the ard
administrator can be given sudo access. This exploit involves
sending a unix command as root to install a package that was copied
to /tmp/. In this case, the app is Adobe CS 2.0 using the adobe
silent installation script. The script will mount disk images as
root, run the install, then cleanup. If a standard user is logged
in, they will see an icon on the dock for the install, but should
never see anything besides the icon.

The issue:
The process LoginWindow is owned by the logged in user. If the
system is at the login window, then the process LoginWindow is
owned by root. If the system is mounting a disk image visible only
to root, then the image will try to appear on the desktop. Clicking
the mouse will force the desktop to appear, as well as the menus. A
user sitting that the system will then see a finder window, and the
root users home directory. The login window can be ignored, and the
user has full root access. Files can be deleted without
authentication, and the trash can be emptied. If a user tries to
login, the login window will check their credentials, but they will
end up logging in to the root desktop with root privileges.

The workaround:
If you are trying to run a remote install script such as the Adobe
Silent installer, use the lock screen feature in ARD. This locks
the users desktop until the admin is done doing their thing.

The end result:
http://www.flickr.com/photos/metfoo/246858852/

Adobes script:
#!/bin/sh
#
# Example script to run the Adobe Creative Suite 2 Installer silently.
#
#
# Copyright: 2005 Adobe Systems, Inc.
#
#


function detach_images
{
# umount any previous mounted installer images
for NUMBER in 1 2 3 4
do
MOUNTED_POINT="/Volumes/Adobe Creative Suite Disk ${NUMBER} "
/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 2>/dev/null
if [ $? -eq 0 ] ; then
echo "Another \"${MOUNT_POINT}\" already attached."
DEVICE=`/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}"
2>/dev/ null |/usr/bin/cut -d" " -f1`
if [ -b "${DEVICE}" ] ; then
/usr/bin/hdiutil detach "${DEVICE}"
echo "Detaching \"${DEVICE}\"..."
fi
fi
done
}


SAVEDIR="`pwd`"
trap 'cd "${SAVEDIR}"' EXIT


if [ $# -ne 2 ] ; then
echo "usage: $0 <image folder> <config filepath>"
exit 1
fi

IMGDIR=$1
CONFIG=$2


# Check OS Version, Minimum is 10.2.8
OSVERSION=`/usr/bin/sw_vers |/usr/bin/grep ProductVersion |/usr/
bin/cut -d: -f2`
MAJORVER=`echo ${OSVERSION} | /usr/bin/cut -d . -f2`
MVTEMP=`echo ${OSVERSION} | /usr/bin/cut -d. -f3`
MINORVER=${MVTEMP:-0}

if [ ${MAJORVER} -lt 3 ] ; then
# if less then 10.3
if [ ${MAJORVER} -ne 2 ] ; then
echo "This version of MacOS (${OSVERSION}) is not
supported."
exit 1;
else
if [ ${MINORVER} -lt 8 ] ; then
echo "This version of MacOS (${OSVERSION}) is not
supported."
exit 1;
fi
fi
HDIUTIL_OPTIONS=
else
# additional hdiutil options for 10.3 or above system
HDIUTIL_OPTIONS="-private -noverify"
fi


# Check root volume is HFS
/sbin/mount -t hfs |/usr/bin/grep " / " 2>/dev/null
if [ $? -ne 0 ] ; then
echo "Root volume is not a HFS volume."
exit 5
fi

# validate the arguments
if [ ! -d "$IMGDIR" ] ; then
echo "$IMGDIR" does not exist.
exit 2
fi


if [ ! -r "$CONFIG" ] ; then
echo "$CONFIG" does not exist.
exit 3
fi


# Check running as root
MYUID=`/usr/bin/id -u`

if [ ${MYUID} -ne 0 ] ; then
echo "You need to be root to run the Adobe Creative Suite 2
Installer."
exit 4
fi


cd "${IMGDIR}"
IMGCOUNT=`/bin/ls -l *.dmg 2>/dev/null | /usr/bin/wc -l`
if [ -z "${IMGCOUNT}" -o "${IMGCOUNT}" = "0" ] ; then
echo "No disk image found in "${IMGDIR}"."
exit 2
fi

#detach any already attached installer images
detach_images

# Mount the disk images for the installer CDs
for DMG in *.dmg
do
# mount the remaining disk images
echo
echo "--- Attaching Installer disk image ${NUMBER}..."
echo /usr/bin/hdiutil attach -verbose -readonly $
{HDIUTIL_OPTIONS} "${DMG}"
/usr/bin/hdiutil attach -verbose -readonly ${HDIUTIL_OPTIONS} "$
{DMG}"

if [ $? -ne 0 ] ; then
echo "Error in attaching installer disk image: \"${DMG}\""
exit 6
fi
done

echo
echo
echo "---- Starting the Adobe Creative Suite Installer..."
echo
"/Volumes/Adobe Creative Suite Disk 1/Adobe Installer.app/Contents/
MacOS/Adobe Installer" --batch -c "${CONFIG}"
INSTALLATION_RESULT=$?
echo

#now detach attached installer images
detach_images

exit ${INSTALLATION_RESULT}

--

Erik Lat
System Engineer
Lextech Global Services

--
e-mail: yannick.vonarx@xxxxxxxx
web: http://www.yanux.ch

--
Mike Kuriger
Sr. Systems Engineer
WarnerBros Online
818-977-8198
m@xxxxxx
aim - mikekuriger

---

• References:
  • Apple Remote Desktop root vulneravility
    • From: fribitch
  • Re: Apple Remote Desktop root vulneravility
    • From: Erik Lat
  • Re: Apple Remote Desktop root vulneravility
    • From: Yannick von Arx

• Prev by Date: Backdooring MP3 files (plus QuickTime issues and Cross-context Scripting)
• Next by Date: "Buffer overflow" term considered overloaded
• Previous by thread: Re: Apple Remote Desktop root vulneravility
• Next by thread: Re: Re: Apple Remote Desktop root vulneravility
• Index(es):
  • Date
  • Thread

---

Relevant Pages [UNIX] Apple Remote Desktop Privilege Escalation ... These commands can be run as root, because the ard administrator can be ... installer, use the lock screen feature in ARD. ... trap 'cd "$"' EXIT ... echo "This version of MacOS is not supported." ... (Securiteam) RE: Location of web root ... Subject: Location of web root ... during install) pointing out that a Custom install will allow for a more ... in a different folder off C:. ... were the script kiddie, how would you exploit the machine. ... (Security-Basics) Re: Alerting - Malicious software removal tool ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ... (microsoft.public.security.virus) Re: Granting root access? ... Only use "root" when you really need to. ... before handing it to me for a system install. ... users within the corporate IT environment and help sysadmins keep things ... However, even there, "normal users" were allowed to ... (alt.os.linux.suse) Software-Raid1 Root in Woody ... This document briefly describes the steps needed to install a Debian ... Woody GNU/Linux system with root on a software raid1 device. ... I used SCSI disks because I had them easily available, ... I started from floppies (vanilla kernel) + network, ... (Debian-User)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)