[sudo-users] sudo update for older OS X versions available
Kyle J. McKay
mackyle at gmail.com
Thu Nov 21 00:11:25 MST 2013
For anyone still running an older version of OS X (pre 10.7.5 /
10.8.5) I have created an OS X sudo update based on sudo 1.7.10p7
(which therefore includes the fix for CVE-2013-1775) that also
includes the OS X specific changes.
There is no installer. Instead a set of patches and a build script
are included. The build script starts with the official sudo 1.7.10p7
release sources and then applies the OS X specific patches culled from
opensource.apple.com and finally configures the build in an OS X
compatible fashion (again culled from opensource.apple.com) and builds
it. As a final step instructions showing how to install the newly-
built sudo executable are shown. This should make it relatively easy
for anyone interested in using this update to review the patches and
the build procedure to make sure it is free of malware before
installing it.
It is available from the git repository:
http://repo.or.cz/w/sudo-osx-update.git
with a mirror at:
https://github.com/mackyle/sudo-osx-update
This update is primarily intended for OS X 10.4.11/10.5.8/10.6.8
(which are all vulnerable) but will also work on early OS X 10.7.x and
OS X 10.8.x versions (if for some reason those cannot be updated to
10.7.5+security update or 10.8.5 or later). It is unlikely to work on
any OS X version before 10.4.8. Note that OS X 10.9.0 already
includes sudo 1.7.10p7.
Part of the README_FIRST.txt file has been included below to provide
additional information.
Kyle
================
SUDO OS X UPDATE
================
-------------
What is this?
-------------
This project brings together the OS X specific patches for sudo
together with the official sudo 1.7.10p7 release to provide a fix for
the CVE-2013-1775 [1] vulnerability (details in [2]) to Mac OS X
versions prior to 10.7.5/10.8.5 specifically versions 10.4.11, 10.5.8
and 10.6.8.
----------
Background
----------
Apple has included a version of sudo with Mac OS X from the beginning,
but while the version included in OS X has been based on an official
sudo release tarball it always has a few Apple-specific tweaks in it.
The earliest version included by Apple was sudo-1.6.3p5 with Mac OS X
10.0.0.
As detailed in "Authentication bypass when clock is reset" sudo alert
[2], sudo versions 1.6.0 through 1.7.10p6 and sudo 1.8.0 through
1.8.6p6 inclusive are affected by the problem.
The reason this problem is of particular concern on OS X is that most
machines running OS X will go through the standard Apple Setup
Assistant that prompts on initial use to create the first user account
for the machine. That account will automatically be a member of the
"admin" group and on OS X machines, the "admin" group automatically
has sudo access (the root account is disabled on OS X unless
explicitly enabled later by the user).
The problem arises in that members of the "admin" group may also
change the system clock time without needing to enter any password.
There's even a command line utility to do this.
On 2013-09-12 Apple released a security update for OS X 10.7.5 that
contains an updated sudo with a fix for CVE-2013-1775 [1] and OS X
10.8.5 that also contains the same fix. However, although a 10.6.8
security update was released at the same time, it does NOT contain an
updated sudo binary. The updated sudo version provided by the 10.7.5
security update and OS X 10.8.5 (as shown by "sudo -V") is
"1.7.4p6a". The Apple Open Source version of sudo corresponding to
"1.7.4p6a" has been posted on their site [3]. Note that OS X 10.9.0
includes an sudo based on version 1.7.10p7.
So any version of OS X prior to 10.7.5/10.8.5 whose admin user has run
sudo for any reason (and has not subsequently run "sudo -K" or added a
workaround of "timestamp_timeout 0" to the sudoers file) is vulnerable
to a root access exploit. OS X 10.7.5 is also vulnerable unless the
security update has been installed.
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1775
[2] http://www.sudo.ws/sudo/alerts/epoch_ticket.html
[3] http://opensource.apple.com/source/sudo/sudo-67.1/
More information about the sudo-users
mailing list