SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Sudo Vendors:   Apple
Apple 'sudo' on Laptops May Let Local Users Execute Commands Without Authenticating
SecurityTracker Alert ID:  1008239
SecurityTracker URL:  http://securitytracker.com/id/1008239
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Dec 7 2003
Original Entry Date:  Nov 19 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Exploit Included:  Yes  

Description:   A vulnerability was reported in the 'sudo' command on Apple's Mac OS X based laptops. In certain cases, a local user may be able to execute sudo commands without having to authenticate.

It is reported that the sudo application uses the graphical interface clock instead of the system clock. When sudo is executed via Apple's Terminal.app and then the laptop is placed in sleep mode and subsequently woken up, the laptop may take 10 - 20 seconds to update the graphical clock. As a result, a physically local user can wake up the laptop and execute sudo commands with root privileges without having to authenticate within the 10 - 20 second period.

The vendor was reportedly notified on November 3, 2003.

Impact:   A physically local user can, in certain specific circumstances, execute sudo commands with root privileges.
Solution:   No solution was available at the time of this entry. The vendor is reportedly working on a fix.

The author of the report has provided some workarounds, described in the Source Message.

Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  Tested on Mac OS X 10.3, 10.2.7, and 10.2.3

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Vulnerability in Terminal.app


There is a vulnerability in Apple's Terminal.app for OS X which affects 
Apple laptops.

When running from the Terminal (within the Unix shell), the command 
sudo normally will not prompt for a password for five minutes after the 
password was last given.

The vulnerability occurs when putting an Apple laptop to sleep after 
issuing a sudo command. Upon waking, the computer takes perhaps ten - 
twenty seconds to update the clock in the graphical interface, and sudo 
goes by this clock, and not the internal clock.

Thus an intruder can open an Apple laptop and, given the right 
circumstances, take over a machine.

This has been tested on two Apple PowerBook G4 laptops and with 
operating systems OS X 10.2.3 Jaguar, OS X 10.2.7 Jaguar, and OS X 10.3 
Panther. The exploit works on all machines with all operating systems. 
Under certain circumstances, Terminal.app can be opened when the 
computer is woken up; at other times it proves necessary to have the 
Terminal window still on the desktop; in all circumstances, as sudo 
goes after the wrong clock, root access is possible.

This vulnerability was reported to Apple Product Security on 3 
November. On 14 November, after sending a reminder, Apple explained 
that they were working on the fix and testing it. Now that the two 
weeks are up and Apple has not yet released the fix, it's time to warn 
the public at large.

There is a work-around for this vulnerability of course - actually 
several.

1. Never use sudo (not particularly practical).

2. Never put your box to sleep after a sudo unless at least 5 minutes 
(or whatever your interval is set to) have passed.

3. Issue either the 'sudo -k' command or the 'sudo -K' command before 
putting your box to sleep - make it a habit no matter if you remember 
issuing an ordinary sudo recently or not - 'just in case'.

sudo -k
-------
The -k (kill) option to sudo invalidates the user's timestamp by 
setting the time on it to the epoch. The next time sudo is run a 
password will be required. This option does not require a password and 
was added to allow a user to revoke sudo permissions from a logout file.

sudo -K
-------
The -K (sure kill) option to sudo removes the user's timestamp 
entirely. Likewise, this option does not require a password.

Demonstration
-------------
Open an Apple laptop running OS X, such as a PowerBook G4. Issue a sudo 
command. Leave the Terminal window open and close the computer. Go away 
for perhaps a half hour. Open the laptop, hit arrow up and return.

The Code
--------
The weak link would seem to be in this snippet of the sudo source.

/*
  * If the file/dir exists, check its mtime.
  */
if (status == TS_OLD) {
   /* Negative timeouts only expire manually (sudo -k). */
   if (def_ival(I_TIMESTAMP_TIMEOUT) < 0 && sb.st_mtime != 0)
     status = TS_CURRENT;
   else {
  // -----------------
     now = time(NULL);
  // -----------------
     if (def_ival(I_TIMESTAMP_TIMEOUT) &&
         now - sb.st_mtime < 60 * def_ival(I_TIMESTAMP_TIMEOUT)) {
       /*
        * Check for bogus time on the stampfile.  The clock may
        * have been set back or someone could be trying to spoof us.
        */
       if (sb.st_mtime > now + 60 * def_ival(I_TIMESTAMP_TIMEOUT) * 2) {
         log_error(NO_EXIT,
             "timestamp too far in the future: %20.20s",
             4 + ctime(&sb.st_mtime));
         if (timestampfile)
           (void) unlink(timestampfile);
         else
           (void) rmdir(timestampdir);
         status = TS_MISSING;
       } else
         status = TS_CURRENT;
     }
   }
}

Rick Downes
Rixstep
http://rixstep.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC