Apple Mac OS X ARDAgent 权限许可和服务控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115480 漏洞类型 权限许可和访问控制
发布时间 2008-06-19 更新时间 2008-09-16
CVE编号 CVE-2008-2830 CNNVD-ID CNNVD-200806-319
漏洞平台 OSX CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/31940
https://www.securityfocus.com/bid/29831
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-319
|漏洞详情
MacOSX是苹果家族机器所使用的操作系统。本地攻击者可以通过AppleScript(如osascript)调用MacOSX的ARDAgent。ARDAgent属于root用户,且设置了setuid位,也就是攻击者可以利用这个漏洞以root权限执行任意shell命令。目前这个漏洞正在被名为AppleScript.THT的木马积极的利用。一旦用户受骗安装了带有木马的恶意文件,木马就会打开文件共享、Web共享和远程登录。木马的默认文件名为AStht_06.app,安装位置/Library/Caches。
|漏洞EXP
source: http://www.securityfocus.com/bid/29831/info

Mac OS X is prone to a local privilege-escalation vulnerability affecting ARDAgent (Apple Remote Desktop).

Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer.

This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable. 

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';
|受影响的产品
Apple Remote Desktop 3.2.1 Apple Mac OS X Server 10.5.4 Apple Mac OS X Server 10.5.3 Apple Mac OS X Server 10.5.2 Apple Mac OS X Server 10.5.1 Apple Mac OS X Server 10.4.
|参考资料

来源:XF
名称:apple-macosx-ardagent-command-execution(43294)
链接:http://xforce.iss.net/xforce/xfdb/43294
来源:SECTRACK
名称:1020345
链接:http://www.securitytracker.com/id?1020345
来源:BID
名称:29831
链接:http://www.securityfocus.com/bid/29831
来源:VUPEN
名称:ADV-2008-1905
链接:http://www.frsirt.com/english/advisories/2008/1905/references
来源:SECUNIA
名称:30776
链接:http://secunia.com/advisories/30776
来源:APPLE
名称:APPLE-SA-2008-07-31
链接:http://lists.apple.com/archives/security-announce//2008/Jul/msg00003.html
来源:APPLE
名称:APPLE-SA-2008-09-16
链接:http://lists.apple.com/archives/security-announce//2008//Sep/msg00006.html
来源:MISC
链接:http://it.slashdot.org/it/08/06/18/1919224.shtml