Re: Apple Remote Desktop root vulneravility

To: Yannick von Arx <yanux@xxxxxxxx>
Subject: Re: Apple Remote Desktop root vulneravility
From: Mike Kuriger <m@xxxxxx>
Date: Wed, 20 Sep 2006 15:07:27 -0700
Cc: Erik Lat <erik.lat@xxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <8CB289E7-83B6-475E-8693-E7EDD045A2A9@xxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060918212652.30311.qmail@xxxxxxxxxxxxxxxxx> <20060919123209.b96313e2.erik.lat@xxxxxxxxxxx> <8CB289E7-83B6-475E-8693-E7EDD045A2A9@xxxxxxxx>
Reply-to: m@xxxxxx
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

if I'm reading this right, it looks like a non-logged in workstation
could be vulnerable to a local root use if an admin is running an remote
install.  so the "attacker" would have to know that a remote operation
is going on and the "attacker" would need physical access.  or I may
just be reading this wrong.

~mike~


Yannick von Arx wrote:

> It seems so that the attacker needs a ARD enabled user plus vnc 
> password to access the client.
> Then he can send an install command over "Manage >  Send UNIX Command"
>
> We're talking about ARD 3.0 so we've got the new feature to lock 
> client's screen with a message.
> From my point of view it's not a vulnerability in ARD, just an 
> insecure point.
>
> Regards,
> Yannick von Arx
>
> On 19.09.2006, at 19:32, Erik Lat wrote:
>
>>
>> So in order for this vulnerability to be exploited, the attacker needs
>> to have a local account on the machine correct? Your exploitation 
>> explanation
>> is a bit construed. Any more info / demostrations would be helpful.
>>
>> -Erik
>>
>> On 18 Sep 2006 21:26:52 -0000
>> fribitch@xxxxxxxxxxx wrote:
>>
>>> Background:
>>> ARD allows unix commands to be remotely sent from an admin 
>>> workstation. These commands can be run as root, because the ard 
>>> administrator can be given sudo access. This exploit involves 
>>> sending a unix command as root to install a package that was  copied
>>> to /tmp/. In this case, the app is Adobe CS 2.0 using the  adobe
>>> silent installation script. The script will mount disk  images as
>>> root, run the install, then cleanup. If a standard user  is logged
>>> in, they will see an icon on the dock for the install,  but should
>>> never see anything besides the icon.
>>>
>>> The issue:
>>> The process LoginWindow is owned by the logged in user. If the  
>>> system is at the login window, then the process LoginWindow is 
>>> owned by root. If the system is mounting a disk image visible only 
>>> to root, then the image will try to appear on the desktop.  Clicking
>>> the mouse will force the desktop to appear, as well as  the menus. A
>>> user sitting that the system will then see a finder  window, and the
>>> root users home directory. The login window can be  ignored, and the
>>> user has full root access. Files can be deleted  without
>>> authentication, and the trash can be emptied. If a user  tries to
>>> login, the login window will check their credentials, but  they will
>>> end up logging in to the root desktop with root privileges.
>>>
>>> The workaround:
>>> If you are trying to run a remote install script such as the Adobe 
>>> Silent installer, use the lock screen feature in ARD. This locks 
>>> the users desktop until the admin is done doing their thing.
>>>
>>> The end result:
>>> http://www.flickr.com/photos/metfoo/246858852/
>>>
>>> Adobes script:
>>> #!/bin/sh
>>> #
>>> # Example script to run the Adobe Creative Suite 2 Installer  silently.
>>> #
>>> #
>>> # Copyright: 2005 Adobe Systems, Inc.
>>> #
>>> #
>>>
>>>
>>> function detach_images
>>> {
>>>     # umount any previous mounted installer images
>>>     for NUMBER in 1 2 3 4
>>>     do
>>>         MOUNTED_POINT="/Volumes/Adobe Creative Suite Disk ${NUMBER} "
>>>         /sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 2>/dev/null
>>>         if [ $? -eq 0 ] ; then
>>>             echo "Another \"${MOUNT_POINT}\" already attached."
>>>             DEVICE=`/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}"
>>> 2>/dev/ null |/usr/bin/cut -d" " -f1`
>>>             if [ -b "${DEVICE}" ] ; then
>>>                 /usr/bin/hdiutil detach "${DEVICE}"   
>>>                 echo "Detaching \"${DEVICE}\"..."
>>>             fi
>>>         fi
>>>     done
>>> }
>>>
>>>
>>> SAVEDIR="`pwd`"
>>> trap 'cd "${SAVEDIR}"' EXIT
>>>
>>>
>>> if [ $# -ne 2 ] ; then
>>>     echo "usage: $0 <image folder> <config filepath>"
>>>     exit 1
>>> fi
>>>
>>> IMGDIR=$1
>>> CONFIG=$2
>>>
>>>
>>> # Check OS Version, Minimum is 10.2.8
>>> OSVERSION=`/usr/bin/sw_vers |/usr/bin/grep ProductVersion |/usr/
>>> bin/cut -d: -f2`
>>> MAJORVER=`echo ${OSVERSION} | /usr/bin/cut -d . -f2`
>>> MVTEMP=`echo ${OSVERSION} | /usr/bin/cut -d. -f3`
>>> MINORVER=${MVTEMP:-0}
>>>
>>> if [ ${MAJORVER} -lt 3 ] ; then
>>>     # if less then 10.3
>>>     if [ ${MAJORVER} -ne 2 ] ; then
>>>             echo "This version of MacOS (${OSVERSION}) is not
>>> supported."
>>>             exit 1;
>>>     else
>>>         if [ ${MINORVER} -lt 8 ] ; then
>>>             echo "This version of MacOS (${OSVERSION}) is not
>>> supported."
>>>             exit 1;
>>>         fi
>>>     fi
>>>     HDIUTIL_OPTIONS=
>>> else
>>>     # additional hdiutil options for 10.3 or above system   
>>>     HDIUTIL_OPTIONS="-private -noverify"
>>> fi
>>>
>>>
>>> # Check root volume is HFS
>>> /sbin/mount -t hfs |/usr/bin/grep " / " 2>/dev/null
>>> if [ $? -ne 0 ] ; then
>>>     echo "Root volume is not a HFS volume."
>>>     exit 5
>>> fi
>>>
>>> # validate the arguments
>>> if [ ! -d "$IMGDIR" ] ; then
>>>     echo "$IMGDIR" does not exist.
>>>     exit 2
>>> fi
>>>
>>>
>>> if [ ! -r "$CONFIG" ] ; then
>>>     echo "$CONFIG" does not exist.
>>>     exit 3
>>> fi
>>>
>>>
>>> # Check running as  root
>>> MYUID=`/usr/bin/id -u`
>>>
>>> if [ ${MYUID} -ne 0 ] ; then
>>>     echo "You need to be root to run the Adobe Creative Suite 2 
>>> Installer."
>>>     exit 4
>>> fi
>>>
>>>
>>> cd "${IMGDIR}"
>>> IMGCOUNT=`/bin/ls -l *.dmg 2>/dev/null | /usr/bin/wc -l`
>>> if [ -z "${IMGCOUNT}" -o "${IMGCOUNT}" = "0" ] ; then
>>>     echo "No disk image found in "${IMGDIR}"."
>>>     exit 2
>>> fi
>>>
>>> #detach any already attached installer images
>>> detach_images
>>>
>>> # Mount the disk images for the installer CDs
>>> for DMG in *.dmg
>>> do
>>>     # mount the remaining disk images
>>>     echo
>>>     echo "--- Attaching Installer disk image ${NUMBER}..."
>>>     echo /usr/bin/hdiutil attach -verbose -readonly $
>>> {HDIUTIL_OPTIONS} "${DMG}"
>>>     /usr/bin/hdiutil attach -verbose -readonly ${HDIUTIL_OPTIONS} "$
>>> {DMG}"
>>>
>>>     if [ $? -ne 0 ] ; then
>>>         echo "Error in attaching installer disk image: \"${DMG}\""
>>>         exit 6
>>>     fi
>>> done
>>>
>>> echo
>>> echo
>>> echo "---- Starting the Adobe Creative Suite Installer..."
>>> echo
>>> "/Volumes/Adobe Creative Suite Disk 1/Adobe Installer.app/Contents/
>>> MacOS/Adobe Installer" --batch -c "${CONFIG}"
>>> INSTALLATION_RESULT=$?
>>> echo
>>>
>>> #now detach attached installer images
>>> detach_images
>>>
>>> exit ${INSTALLATION_RESULT}
>>>
>>
>>
>> -- 
>>
>> Erik Lat
>> System Engineer
>> Lextech Global Services
>>
>
> -- 
> e-mail: yannick.vonarx@xxxxxxxx
> web: http://www.yanux.ch
>
>
>
>

-- 
Mike Kuriger
Sr. Systems Engineer
WarnerBros Online
818-977-8198
m@xxxxxx
aim - mikekuriger

References:
- Apple Remote Desktop root vulneravility
  - From: fribitch
- Re: Apple Remote Desktop root vulneravility
  - From: Erik Lat
- Re: Apple Remote Desktop root vulneravility
  - From: Yannick von Arx

Prev by Date: Backdooring MP3 files (plus QuickTime issues and Cross-context Scripting)
Next by Date: "Buffer overflow" term considered overloaded
Previous by thread: Re: Apple Remote Desktop root vulneravility
Next by thread: Re: Re: Apple Remote Desktop root vulneravility
Index(es):
- Date
- Thread