[sudo-users] sudo update for older OS X versions available

Kyle J. McKay mackyle at gmail.com
Thu Nov 21 00:11:25 MST 2013 

For anyone still running an older version of OS X (pre 10.7.5 /  
10.8.5) I have created an OS X sudo update based on sudo 1.7.10p7  
(which therefore includes the fix for CVE-2013-1775) that also  
includes the OS X specific changes.

There is no installer.  Instead a set of patches and a build script  
are included.  The build script starts with the official sudo 1.7.10p7  
release sources and then applies the OS X specific patches culled from  
opensource.apple.com and finally configures the build in an OS X  
compatible fashion (again culled from opensource.apple.com) and builds  
it.  As a final step instructions showing how to install the newly- 
built sudo executable are shown.  This should make it relatively easy  
for anyone interested in using this update to review the patches and  
the build procedure to make sure it is free of malware before  
installing it.

It is available from the git repository:

   http://repo.or.cz/w/sudo-osx-update.git

with a mirror at:

   https://github.com/mackyle/sudo-osx-update

This update is primarily intended for OS X 10.4.11/10.5.8/10.6.8  
(which are all vulnerable) but will also work on early OS X 10.7.x and  
OS X 10.8.x versions (if for some reason those cannot be updated to  
10.7.5+security update or 10.8.5 or later).  It is unlikely to work on  
any OS X version before 10.4.8.  Note that OS X 10.9.0 already  
includes sudo 1.7.10p7.

Part of the README_FIRST.txt file has been included below to provide  
additional information.

Kyle


================
SUDO OS X UPDATE
================

-------------
What is this?
-------------

This project brings together the OS X specific patches for sudo  
together with the official sudo 1.7.10p7 release to provide a fix for  
the CVE-2013-1775 [1] vulnerability (details in [2]) to Mac OS X  
versions prior to 10.7.5/10.8.5 specifically versions 10.4.11, 10.5.8  
and 10.6.8.

----------
Background
----------

Apple has included a version of sudo with Mac OS X from the beginning,  
but while the version included in OS X has been based on an official  
sudo release tarball it always has a few Apple-specific tweaks in it.   
The earliest version included by Apple was sudo-1.6.3p5 with Mac OS X  
10.0.0.

As detailed in "Authentication bypass when clock is reset" sudo alert  
[2], sudo versions 1.6.0 through 1.7.10p6 and sudo 1.8.0 through  
1.8.6p6 inclusive are affected by the problem.

The reason this problem is of particular concern on OS X is that most  
machines running OS X will go through the standard Apple Setup  
Assistant that prompts on initial use to create the first user account  
for the machine.  That account will automatically be a member of the  
"admin" group and on OS X machines, the "admin" group automatically  
has sudo access (the root account is disabled on OS X unless  
explicitly enabled later by the user).

The problem arises in that members of the "admin" group may also  
change the system clock time without needing to enter any password.   
There's even a command line utility to do this.

On 2013-09-12 Apple released a security update for OS X 10.7.5 that  
contains an updated sudo with a fix for CVE-2013-1775 [1] and OS X  
10.8.5 that also contains the same fix.  However, although a 10.6.8  
security update was released at the same time, it does NOT contain an  
updated sudo binary.  The updated sudo version provided by the 10.7.5  
security update and OS X 10.8.5 (as shown by "sudo -V") is  
"1.7.4p6a".  The Apple Open Source version of sudo corresponding to  
"1.7.4p6a" has been posted on their site [3].  Note that OS X 10.9.0  
includes an sudo based on version 1.7.10p7.

So any version of OS X prior to 10.7.5/10.8.5 whose admin user has run  
sudo for any reason (and has not subsequently run "sudo -K" or added a  
workaround of "timestamp_timeout 0" to the sudoers file) is vulnerable  
to a root access exploit.  OS X 10.7.5 is also vulnerable unless the  
security update has been installed.

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
[2] http://www.sudo.ws/sudo/alerts/epoch_ticket.html
[3] http://opensource.apple.com/source/sudo/sudo-67.1/

More information about the sudo-users mailing list