<<< Date Index >>>     <<< Thread Index >>>

Re: Apple Remote Desktop root vulneravility



So in order for this vulnerability to be exploited, the attacker needs
to have a local account on the machine correct? Your exploitation explanation
is a bit construed. Any more info / demostrations would be helpful.

-Erik

On 18 Sep 2006 21:26:52 -0000
fribitch@xxxxxxxxxxx wrote:

> Background:
> ARD allows unix commands to be remotely sent from an admin workstation. These 
> commands can be run as root, because the ard administrator can be given sudo 
> access. This exploit involves sending a unix command as root to install a 
> package that was copied to /tmp/. In this case, the app is Adobe CS 2.0 using 
> the adobe silent installation script. The script will mount disk images as 
> root, run the install, then cleanup. If a standard user is logged in, they 
> will see an icon on the dock for the install, but should never see anything 
> besides the icon.
> 
> The issue:
> The process LoginWindow is owned by the logged in user. If the  system is at 
> the login window, then the process LoginWindow is owned by root. If the 
> system is mounting a disk image visible only to root, then the image will try 
> to appear on the desktop. Clicking the mouse will force the desktop to 
> appear, as well as the menus. A user sitting that the system will then see a 
> finder window, and the root users home directory. The login window can be 
> ignored, and the user has full root access. Files can be deleted without 
> authentication, and the trash can be emptied. If a user tries to login, the 
> login window will check their credentials, but they will end up logging in to 
> the root desktop with root privileges.
> 
> The workaround:
> If you are trying to run a remote install script such as the Adobe Silent 
> installer, use the lock screen feature in ARD. This locks the users desktop 
> until the admin is done doing their thing.
> 
> The end result:
> http://www.flickr.com/photos/metfoo/246858852/
> 
> Adobes script:
> #!/bin/sh
> #
> # Example script to run the Adobe Creative Suite 2 Installer silently.
> #
> #
> # Copyright: 2005 Adobe Systems, Inc.
> #
> # 
> 
> 
> function detach_images
> {
>       # umount any previous mounted installer images
>       for NUMBER in 1 2 3 4
>       do
>               MOUNTED_POINT="/Volumes/Adobe Creative Suite Disk ${NUMBER} "
>               /sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 2>/dev/null 
>               if [ $? -eq 0 ] ; then
>                       echo "Another \"${MOUNT_POINT}\" already attached."
>                       DEVICE=`/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 
> 2>/dev/null |/usr/bin/cut -d" " -f1`
>                       if [ -b "${DEVICE}" ] ; then
>                               /usr/bin/hdiutil detach "${DEVICE}"     
>                               echo "Detaching \"${DEVICE}\"..."
>                       fi
>               fi
>       done
> }
> 
> 
> SAVEDIR="`pwd`"
> trap 'cd "${SAVEDIR}"' EXIT
> 
> 
> if [ $# -ne 2 ] ; then
>       echo "usage: $0 <image folder> <config filepath>"
>       exit 1
> fi
> 
> IMGDIR=$1
> CONFIG=$2
> 
> 
> # Check OS Version, Minimum is 10.2.8
> OSVERSION=`/usr/bin/sw_vers |/usr/bin/grep ProductVersion |/usr/bin/cut -d: 
> -f2`
> MAJORVER=`echo ${OSVERSION} | /usr/bin/cut -d . -f2`
> MVTEMP=`echo ${OSVERSION} | /usr/bin/cut -d. -f3`
> MINORVER=${MVTEMP:-0}
> 
> if [ ${MAJORVER} -lt 3 ] ; then
>       # if less then 10.3
>       if [ ${MAJORVER} -ne 2 ] ; then
>                       echo "This version of MacOS (${OSVERSION}) is not 
> supported."
>                       exit 1;
>       else        
>               if [ ${MINORVER} -lt 8 ] ; then
>                       echo "This version of MacOS (${OSVERSION}) is not 
> supported."
>                       exit 1;
>         fi              
>     fi
>       HDIUTIL_OPTIONS=
> else
>       # additional hdiutil options for 10.3 or above system   
>       HDIUTIL_OPTIONS="-private -noverify"
> fi
> 
> 
> # Check root volume is HFS 
> /sbin/mount -t hfs |/usr/bin/grep " / " 2>/dev/null
> if [ $? -ne 0 ] ; then
>       echo "Root volume is not a HFS volume." 
>       exit 5
> fi
> 
> # validate the arguments 
> if [ ! -d "$IMGDIR" ] ; then
>       echo "$IMGDIR" does not exist. 
>       exit 2
> fi
> 
> 
> if [ ! -r "$CONFIG" ] ; then
>       echo "$CONFIG" does not exist. 
>       exit 3
> fi
> 
> 
> # Check running as  root
> MYUID=`/usr/bin/id -u`
> 
> if [ ${MYUID} -ne 0 ] ; then
>       echo "You need to be root to run the Adobe Creative Suite 2 Installer."
>       exit 4
> fi
> 
> 
> cd "${IMGDIR}"
> IMGCOUNT=`/bin/ls -l *.dmg 2>/dev/null | /usr/bin/wc -l`
> if [ -z "${IMGCOUNT}" -o "${IMGCOUNT}" = "0" ] ; then
>       echo "No disk image found in "${IMGDIR}"." 
>       exit 2
> fi
> 
> #detach any already attached installer images
> detach_images
> 
> # Mount the disk images for the installer CDs
> for DMG in *.dmg
> do
>       # mount the remaining disk images
>       echo
>       echo "--- Attaching Installer disk image ${NUMBER}..."
>       echo /usr/bin/hdiutil attach -verbose -readonly ${HDIUTIL_OPTIONS} 
> "${DMG}"
>       /usr/bin/hdiutil attach -verbose -readonly ${HDIUTIL_OPTIONS} "${DMG}"
> 
>       if [ $? -ne 0 ] ; then
>               echo "Error in attaching installer disk image: \"${DMG}\""
>               exit 6
>       fi
> done
> 
> echo
> echo
> echo "---- Starting the Adobe Creative Suite Installer..."
> echo
> "/Volumes/Adobe Creative Suite Disk 1/Adobe 
> Installer.app/Contents/MacOS/Adobe Installer" --batch -c "${CONFIG}"
> INSTALLATION_RESULT=$?
> echo
> 
> #now detach attached installer images
> detach_images
> 
> exit ${INSTALLATION_RESULT}
> 


-- 

Erik Lat
System Engineer
Lextech Global Services