Looks like the patch might not actually address the DNS vulnerability after all.
Original post:
If you or your customers are on Macs, it's time to apply the latest Security Update 2008-005, which addresses the DNS vulnerability as well as the AppleScript vulnerability that lets local users easily get root.
The update requires a reboot.
From Apple's article, it looks like BIND has been patched on various Mac OS X 10.4.11 and 10.5.4, both client and server versions. BIND is not enabled by default.
I also tested the AppleScript "exploit" after the update.
$ uname -a
Darwin mymac.local 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 i386
$ ls -l /var/root/
ls: : Permission denied
$ sudo -s
Password:
# ls -l /var/root/
total 16
-rw-r--r-- 1 root wheel 3 Jun 2 00:07 .CFUserTextEncoding
-r--r--r-- 1 root wheel 10 Sep 23 2007 .forward
# exit
$ osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
23:47: execution error: ARDAgent got an error: "whoami" doesn̢۪t understand the do shell script message. (-1708)
$ osascript -e 'tell app "ARDAgent" to do shell script "ls -l /var/root"';
23:56: execution error: ARDAgent got an error: "ls -l /var/root" doesn̢۪t understand the do shell script message. (-1708)
It's great to see that ARDAgent no longer happily runs whatever you throw at it as root.
0 comments:
Post a Comment