Mac OS X FileVault Plaintext Password Logging

2012-05-14T00:00:00
ID MACOSX_FILEVAULT_LOG_INFO_LEAK.NASL
Type nessus
Reporter Tenable
Modified 2018-07-14T00:00:00

Description

Plaintext passwords were discovered in a system log file. Mac OS X Lion release 10.7.3 enabled a debug logging feature that causes plaintext passwords to be logged to /var/log/secure.log on systems that use certain FileVault configurations. A local attacker in the admin group or an attacker with physical access to the host could exploit this to get user passwords, which could be used to gain access to encrypted partitions.

                                        
                                            #TRUSTED b09d73673511ae5e354fab9d6aa3841c1a23781b17d04e39cc37fe011b830a07a60da805988ac34a05baf0a2d37ddcf59ba9e70feaf1e082d722903ba1185edd4d50cf70628e0fbaa32ced0a7017f11b1e4e20aceed86a1da9080d0e9dd575ce4d4789cb5a823253e5a3a5c27948a2b585936993285d95d8c33255d92c8bb83aabcd83db1b80438ac9686b3e2f71c61040eaa7fad21886e5ca5810433fcc426d0efd86763ae2572bacb0875b3fe0453b993788cef9441158d22c9602e5c1fc90fb79049ad1fddcdf33b60ccd645f2d31fb483af19ff834a3b45c36c34174f1419ada49f1183050f1ebc3e16c996037eb7731136e07d59fe4bd0d5606641b8133c8e0250e6c49d0163b736512a3028f118713a8f36028a14073d3f589c3c14913c00a1b6f52f77484bb670559b96691ec9f859f8d77b84a84e2a52692adeba5835a8d8166bb32cf9b854a906996d7e081fe0c8249d79e598bca04977c0acfc1f2c52637647c01196f42bec429fa78e3f8bb912a830560a8d136af441d7c752ccdd4afa81b0ed4d849761196fe15d4cd20de09c889b4831304dab3eebc3d853cce61602ad3a98c3fb61f9056aafe10df1e791f6acfe28434221cdc8a367ef0d26f052b3d51d4dad4bef59c6e8c3765b612f4a010ac86fdf491db9a199548f8a4783334729927b49f9c907f231984984c0b2f9561b907dc02b8187d15e7d7deba22
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");


if (description)
{
  script_id(59090);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14");

  script_cve_id("CVE-2012-0652");
  script_bugtraq_id(53402);

  script_name(english:"Mac OS X FileVault Plaintext Password Logging");
  script_summary(english:"Checks secure.log files for plaintext passwords");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Mac OS X host logs passwords in plaintext."
  );
  script_set_attribute(
    attribute:"description",
    value:
"Plaintext passwords were discovered in a system log file.  Mac OS X
Lion release 10.7.3 enabled a debug logging feature that causes
plaintext passwords to be logged to /var/log/secure.log on systems
that use certain FileVault configurations.  A local attacker in the
admin group or an attacker with physical access to the host could
exploit this to get user passwords, which could be used to gain access
to encrypted partitions."
  );
  script_set_attribute(attribute:"see_also",value:"https://discussions.apple.com/thread/3715366");
  script_set_attribute(attribute:"see_also",value:"https://discussions.apple.com/thread/3872437");
  script_set_attribute(attribute:"see_also",value:"http://cryptome.org/2012/05/apple-filevault-hole.htm");
  script_set_attribute(attribute:"see_also",value:"http://support.apple.com/kb/HT5281");
  script_set_attribute(attribute:"see_also",value:"http://support.apple.com/kb/TS4272");
  script_set_attribute(
    attribute:"solution",
    value:
"Upgrade to Mac OS X 10.7.4 or later and securely remove log files
that contain plaintext passwords (refer to article TS4272)."
  );
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date",value:"2012/02/06");
  script_set_attribute(attribute:"patch_publication_date",value:"2012/05/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/14");

  script_set_attribute(attribute:"plugin_type",value:"local");
  script_set_attribute(attribute:"cpe",value:"cpe:/o:apple:mac_os_x");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");
include("audit.inc");


if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS)
  enable_ssh_wrappers();
else disable_ssh_wrappers();

get_kb_item_or_exit("Host/local_checks_enabled");
ver = get_kb_item_or_exit("Host/MacOSX/Version");

match = eregmatch(string:ver, pattern:'([0-9.]+)');
ver = match[1];

# the vulnerability was introduced in 10.7.3
if (ver_compare(ver:ver, fix:'10.7.3', strict:FALSE) < 0)
  audit(AUDIT_HOST_NOT, 'Mac OS X >= 10.7.3');

cmd = "/usr/bin/bzgrep ': DEBUGLOG |.*, password[^ ]* =' /var/log/secure.log* 2> /dev/null";
output = exec_cmd(cmd:cmd);
if (!strlen(output))
  audit(AUDIT_HOST_NOT, 'affected');

credentials = make_array();

foreach line (split(output, sep:'\n', keep:FALSE))
{
  # this might be asking for trouble because it's unclear how the logger handles things like passwords with ', '
  # in them. at worst, all that should happen is the last character of the password will be reported incorrectly
  logdata = strstr(line, ' | about to call ');
  fields = split(logdata, sep:', ', keep:FALSE);
  user = NULL;
  pass = NULL;

  foreach field (fields)
  {
    usermatch = eregmatch(string:field, pattern:'name = (.+)');
    if (isnull(usermatch))
      usermatch = eregmatch(string:field, pattern:'= /Users/([^/]+)');
    if (!isnull(usermatch))
      user = usermatch[1];

    passmatch = eregmatch(string:field, pattern:'password(AsUTF8String)? = (.+)');
    if (!isnull(passmatch))
    {
      pass = passmatch[2];
      pass = pass[0] + '******' + pass[strlen(pass) - 1];
    }
  }

  if (!isnull(user) && !isnull(pass))
    credentials[user] = pass;
}

if (max_index(keys(credentials)) == 0)
  audit(AUDIT_HOST_NOT, 'affected');

report =
  '\nNessus discovered plaintext passwords by running the following command :\n\n' +
  cmd + '\n' +
  '\nThe following usernames and passwords were extracted (note' +
  '\nthat any passwords displayed have been partially obfuscated) :\n';

foreach user (sort(keys(credentials)))
{
  report +=
    '\n  Username : ' + user +
    '\n  Password : ' + credentials[user] + '\n';
}

security_note(port:0, extra:report);