[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1BD4C71E-1A93-11D8-A3F8-000A95DA4200@kagi.com>
From: rixstep at kagi.com (rixstep@...i.com)
Subject: Vulnerability in Terminal.app
There is a vulnerability in Apple's Terminal.app for OS X which affects
Apple laptops.
When running from the Terminal (within the Unix shell), the command
sudo normally will not prompt for a password for five minutes after the
password was last given.
The vulnerability occurs when putting an Apple laptop to sleep after
issuing a sudo command. Upon waking, the computer takes perhaps ten -
twenty seconds to update the clock in the graphical interface, and sudo
goes by this clock, and not the internal clock.
Thus an intruder can open an Apple laptop and, given the right
circumstances, take over a machine.
This has been tested on two Apple PowerBook G4 laptops and with
operating systems OS X 10.2.3 Jaguar, OS X 10.2.7 Jaguar, and OS X 10.3
Panther. The exploit works on all machines with all operating systems.
Under certain circumstances, Terminal.app can be opened when the
computer is woken up; at other times it proves necessary to have the
Terminal window still on the desktop; in all circumstances, as sudo
goes after the wrong clock, root access is possible.
This vulnerability was reported to Apple Product Security on 3
November. On 14 November, after sending a reminder, Apple explained
that they were working on the fix and testing it. Now that the two
weeks are up and Apple has not yet released the fix, it's time to warn
the public at large.
There is a work-around for this vulnerability of course - actually
several.
1. Never use sudo (not particularly practical).
2. Never put your box to sleep after a sudo unless at least 5 minutes
(or whatever your interval is set to) have passed.
3. Issue either the 'sudo -k' command or the 'sudo -K' command before
putting your box to sleep - make it a habit no matter if you remember
issuing an ordinary sudo recently or not - 'just in case'.
sudo -k
-------
The -k (kill) option to sudo invalidates the user's timestamp by
setting the time on it to the epoch. The next time sudo is run a
password will be required. This option does not require a password and
was added to allow a user to revoke sudo permissions from a logout file.
sudo -K
-------
The -K (sure kill) option to sudo removes the user's timestamp
entirely. Likewise, this option does not require a password.
Demonstration
-------------
Open an Apple laptop running OS X, such as a PowerBook G4. Issue a sudo
command. Leave the Terminal window open and close the computer. Go away
for perhaps a half hour. Open the laptop, hit arrow up and return.
The Code
--------
The weak link would seem to be in this snippet of the sudo source.
/*
* If the file/dir exists, check its mtime.
*/
if (status == TS_OLD) {
/* Negative timeouts only expire manually (sudo -k). */
if (def_ival(I_TIMESTAMP_TIMEOUT) < 0 && sb.st_mtime != 0)
status = TS_CURRENT;
else {
// -----------------
now = time(NULL);
// -----------------
if (def_ival(I_TIMESTAMP_TIMEOUT) &&
now - sb.st_mtime < 60 * def_ival(I_TIMESTAMP_TIMEOUT)) {
/*
* Check for bogus time on the stampfile. The clock may
* have been set back or someone could be trying to spoof us.
*/
if (sb.st_mtime > now + 60 * def_ival(I_TIMESTAMP_TIMEOUT) * 2) {
log_error(NO_EXIT,
"timestamp too far in the future: %20.20s",
4 + ctime(&sb.st_mtime));
if (timestampfile)
(void) unlink(timestampfile);
else
(void) rmdir(timestampdir);
status = TS_MISSING;
} else
status = TS_CURRENT;
}
}
}
Rick Downes
Rixstep
http://rixstep.com
Powered by blists - more mailing lists