安全研究
安全漏洞
Apple远程桌面本地认证绕过漏洞
发布日期:2006-09-18
更新日期:2006-09-20
受影响系统:
Apple Remote Desktop 3.0描述:
Apple Remote Desktop 2.1
Apple Remote Desktop 2.0
BUGTRAQ ID: 20092
Apple远程桌面(ARD)是专为Mac OS X设计的远程桌面管理系统。
ARD允许从管理工作站远程发送UNIX命令。由于ARD管理员可能给予了sudo访问,因此远程发送的命令可能以root用户权限运行。
LoginWindow进程属于已登录的用户。如果系统位于登录窗口的话,则LoginWindow进程就会属于root。如果系统加载了只有root可见的磁盘镜像的话,该镜像就会试图显现在桌面上,点击鼠标会强制显示桌面及菜单,然后物理访问该系统的用户就可以看到一个查找器窗口,以及root用户的主目录。用户可以忽略登录窗口,然后获得完全的root访问。
<*来源:fribitch (fribitch@organic.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=115868559613987&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#
# Example script to run the Adobe Creative Suite 2 Installer silently.
#
#
# Copyright: 2005 Adobe Systems, Inc.
#
#
function detach_images
{
# umount any previous mounted installer images
for NUMBER in 1 2 3 4
do
MOUNTED_POINT="/Volumes/Adobe Creative Suite Disk ${NUMBER} "
/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 2>/dev/null
if [ $? -eq 0 ] ; then
echo "Another \"${MOUNT_POINT}\" already attached."
DEVICE=`/sbin/mount |/usr/bin/grep "${MOUNTED_POINT}" 2>/dev/null |/usr/bin/cut \
-d" " -f1` if [ -b "${DEVICE}" ] ; then
/usr/bin/hdiutil detach "${DEVICE}"
echo "Detaching \"${DEVICE}\"..."
fi
fi
done
}
SAVEDIR="`pwd`"
trap 'cd "${SAVEDIR}"' EXIT
if [ $# -ne 2 ] ; then
echo "usage: $0 <image folder> <config filepath>"
exit 1
fi
IMGDIR=$1
CONFIG=$2
# Check OS Version, Minimum is 10.2.8
OSVERSION=`/usr/bin/sw_vers |/usr/bin/grep ProductVersion |/usr/bin/cut -d: -f2`
MAJORVER=`echo ${OSVERSION} | /usr/bin/cut -d . -f2`
MVTEMP=`echo ${OSVERSION} | /usr/bin/cut -d. -f3`
MINORVER=${MVTEMP:-0}
if [ ${MAJORVER} -lt 3 ] ; then
# if less then 10.3
if [ ${MAJORVER} -ne 2 ] ; then
echo "This version of MacOS (${OSVERSION}) is not supported."
exit 1;
else
if [ ${MINORVER} -lt 8 ] ; then
echo "This version of MacOS (${OSVERSION}) is not supported."
exit 1;
fi
fi
HDIUTIL_OPTIONS=
else
# additional hdiutil options for 10.3 or above system
HDIUTIL_OPTIONS="-private -noverify"
fi
# Check root volume is HFS
/sbin/mount -t hfs |/usr/bin/grep " / " 2>/dev/null
if [ $? -ne 0 ] ; then
echo "Root volume is not a HFS volume."
exit 5
fi
# validate the arguments
if [ ! -d "$IMGDIR" ] ; then
echo "$IMGDIR" does not exist.
exit 2
fi
if [ ! -r "$CONFIG" ] ; then
echo "$CONFIG" does not exist.
exit 3
fi
# Check running as root
MYUID=`/usr/bin/id -u`
if [ ${MYUID} -ne 0 ] ; then
echo "You need to be root to run the Adobe Creative Suite 2 Installer."
exit 4
fi
cd "${IMGDIR}"
IMGCOUNT=`/bin/ls -l *.dmg 2>/dev/null | /usr/bin/wc -l`
if [ -z "${IMGCOUNT}" -o "${IMGCOUNT}" = "0" ] ; then
echo "No disk image found in "${IMGDIR}"."
exit 2
fi
#detach any already attached installer images
detach_images
# Mount the disk images for the installer CDs
for DMG in *.dmg
do
# mount the remaining disk images
echo
echo "--- Attaching Installer disk image ${NUMBER}..."
echo /usr/bin/hdiutil attach -verbose -readonly ${HDIUTIL_OPTIONS} "${DMG}"
/usr/bin/hdiutil attach -verbose -readonly ${HDIUTIL_OPTIONS} "${DMG}"
if [ $? -ne 0 ] ; then
echo "Error in attaching installer disk image: \"${DMG}\""
exit 6
fi
done
echo
echo
echo "---- Starting the Adobe Creative Suite Installer..."
echo
"/Volumes/Adobe Creative Suite Disk 1/Adobe Installer.app/Contents/MacOS/Adobe \
Installer" --batch -c "${CONFIG}" INSTALLATION_RESULT=$?
echo
#now detach attached installer images
detach_images
exit ${INSTALLATION_RESULT}
建议:
临时解决方法:
* 使用ARD的锁屏功能。
厂商补丁:
Apple
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.apple.com
浏览次数:3079
严重程度:0(网友投票)
绿盟科技给您安全的保障