Vulnerabilities > CVE-2012-0652 - Information Exposure vulnerability in Apple mac OS X 10.7.3
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
NONE Availability impact
NONE Summary
Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or networked home directories are enabled, does not properly restrict what is written to the system log for network logins, which allows local users to obtain sensitive information by reading the log.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_10_7_4.NASL description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components : - Login Window - Bluetooth - curl - HFS - Kernel - libarchive - libsecurity - libxml - LoginUIFramework - PHP - Quartz Composer - QuickTime - Ruby - Security Framework - Time Machine - X11 Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7. last seen 2020-06-01 modified 2020-06-02 plugin id 59066 published 2012-05-10 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59066 title Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST) code # # (C) Tenable Network Security, Inc. # if (!defined_func("bn_random")) exit(0); if (NASL_LEVEL < 3000) exit(0); # Avoid problems with large number of xrefs. include("compat.inc"); if (description) { script_id(59066); script_version("1.27"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-1004", "CVE-2011-1005", "CVE-2011-1777", "CVE-2011-1778", "CVE-2011-1944", "CVE-2011-2821", "CVE-2011-2834", "CVE-2011-2895", "CVE-2011-3212", "CVE-2011-3389", "CVE-2011-3919", "CVE-2011-4566", "CVE-2011-4815", "CVE-2011-4885", "CVE-2012-0036", "CVE-2012-0642", "CVE-2012-0649", "CVE-2012-0652", "CVE-2012-0654", "CVE-2012-0655", "CVE-2012-0656", "CVE-2012-0657", "CVE-2012-0658", "CVE-2012-0659", "CVE-2012-0660", "CVE-2012-0661", "CVE-2012-0662", "CVE-2012-0675", "CVE-2012-0830" ); script_bugtraq_id( 46458, 46460, 47737, 48056, 49124, 49279, 49658, 49778, 50907, 51193, 51198, 51300, 51665, 51830, 52364, 53456, 53457, 53459, 53462, 53465, 53466, 53467, 53468, 53469, 53470, 53471, 53473 ); script_xref(name:"TRA", value:"TRA-2012-02"); script_xref(name:"CERT", value:"864643"); script_xref(name:"ZDI", value:"ZDI-12-135"); script_name(english:"Mac OS X 10.7.x < 10.7.4 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes several security issues." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.4. The newer version contains numerous security-related fixes for the following components : - Login Window - Bluetooth - curl - HFS - Kernel - libarchive - libsecurity - libxml - LoginUIFramework - PHP - Quartz Composer - QuickTime - Ruby - Security Framework - Time Machine - X11 Note that this update addresses the recent FileVault password vulnerability, in which user passwords are stored in plaintext to a system-wide debug log if the legacy version of FileVault is used to encrypt user directories after a system upgrade to Lion. Since the patch only limits further exposure, though, we recommend that all users on the system change their passwords if user folders were encrypted using the legacy version of FileVault prior to and after an upgrade to OS X 10.7." ); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2012-02"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5281"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/May/msg00001.html"); script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-12-135"); script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2012/Aug/64"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute( attribute:"solution", value:"Upgrade to Mac OS X 10.7.4 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/02/18"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/10"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item("Host/OS"); if (isnull(os)) exit(0, "The 'Host/OS' KB item is missing."); if ("Mac OS X" >!< os) exit(0, "The host does not appear to be running Mac OS X."); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) exit(0, "The host does not appear to be running Mac OS X."); if (ereg(pattern:"Mac OS X 10\.7($|\.[0-3]([^0-9]|$))", string:os)) security_hole(0); else exit(0, "The host is not affected as it is running "+os+".");NASL family MacOS X Local Security Checks NASL id MACOSX_FILEVAULT_LOG_INFO_LEAK.NASL description Plaintext passwords were discovered in a system log file. Mac OS X Lion release 10.7.3 enabled a debug logging feature that causes plaintext passwords to be logged to /var/log/secure.log on systems that use certain FileVault configurations. A local attacker in the admin group or an attacker with physical access to the host could exploit this to get user passwords, which could be used to gain access to encrypted partitions. last seen 2020-03-18 modified 2012-05-14 plugin id 59090 published 2012-05-14 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59090 title Mac OS X FileVault Plaintext Password Logging code #TRUSTED b09d73673511ae5e354fab9d6aa3841c1a23781b17d04e39cc37fe011b830a07a60da805988ac34a05baf0a2d37ddcf59ba9e70feaf1e082d722903ba1185edd4d50cf70628e0fbaa32ced0a7017f11b1e4e20aceed86a1da9080d0e9dd575ce4d4789cb5a823253e5a3a5c27948a2b585936993285d95d8c33255d92c8bb83aabcd83db1b80438ac9686b3e2f71c61040eaa7fad21886e5ca5810433fcc426d0efd86763ae2572bacb0875b3fe0453b993788cef9441158d22c9602e5c1fc90fb79049ad1fddcdf33b60ccd645f2d31fb483af19ff834a3b45c36c34174f1419ada49f1183050f1ebc3e16c996037eb7731136e07d59fe4bd0d5606641b8133c8e0250e6c49d0163b736512a3028f118713a8f36028a14073d3f589c3c14913c00a1b6f52f77484bb670559b96691ec9f859f8d77b84a84e2a52692adeba5835a8d8166bb32cf9b854a906996d7e081fe0c8249d79e598bca04977c0acfc1f2c52637647c01196f42bec429fa78e3f8bb912a830560a8d136af441d7c752ccdd4afa81b0ed4d849761196fe15d4cd20de09c889b4831304dab3eebc3d853cce61602ad3a98c3fb61f9056aafe10df1e791f6acfe28434221cdc8a367ef0d26f052b3d51d4dad4bef59c6e8c3765b612f4a010ac86fdf491db9a199548f8a4783334729927b49f9c907f231984984c0b2f9561b907dc02b8187d15e7d7deba22 # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59090); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2018/07/14"); script_cve_id("CVE-2012-0652"); script_bugtraq_id(53402); script_name(english:"Mac OS X FileVault Plaintext Password Logging"); script_summary(english:"Checks secure.log files for plaintext passwords"); script_set_attribute( attribute:"synopsis", value:"The remote Mac OS X host logs passwords in plaintext." ); script_set_attribute( attribute:"description", value: "Plaintext passwords were discovered in a system log file. Mac OS X Lion release 10.7.3 enabled a debug logging feature that causes plaintext passwords to be logged to /var/log/secure.log on systems that use certain FileVault configurations. A local attacker in the admin group or an attacker with physical access to the host could exploit this to get user passwords, which could be used to gain access to encrypted partitions." ); script_set_attribute(attribute:"see_also",value:"https://discussions.apple.com/thread/3715366"); script_set_attribute(attribute:"see_also",value:"https://discussions.apple.com/thread/3872437"); script_set_attribute(attribute:"see_also",value:"http://cryptome.org/2012/05/apple-filevault-hole.htm"); script_set_attribute(attribute:"see_also",value:"http://support.apple.com/kb/HT5281"); script_set_attribute(attribute:"see_also",value:"http://support.apple.com/kb/TS4272"); script_set_attribute( attribute:"solution", value: "Upgrade to Mac OS X 10.7.4 or later and securely remove log files that contain plaintext passwords (refer to article TS4272)." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date",value:"2012/02/06"); script_set_attribute(attribute:"patch_publication_date",value:"2012/05/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/05/14"); script_set_attribute(attribute:"plugin_type",value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("ssh_func.inc"); include("macosx_func.inc"); include("audit.inc"); if(sshlib::get_support_level() >= sshlib::SSH_LIB_SUPPORTS_COMMANDS) enable_ssh_wrappers(); else disable_ssh_wrappers(); get_kb_item_or_exit("Host/local_checks_enabled"); ver = get_kb_item_or_exit("Host/MacOSX/Version"); match = eregmatch(string:ver, pattern:'([0-9.]+)'); ver = match[1]; # the vulnerability was introduced in 10.7.3 if (ver_compare(ver:ver, fix:'10.7.3', strict:FALSE) < 0) audit(AUDIT_HOST_NOT, 'Mac OS X >= 10.7.3'); cmd = "/usr/bin/bzgrep ': DEBUGLOG |.*, password[^ ]* =' /var/log/secure.log* 2> /dev/null"; output = exec_cmd(cmd:cmd); if (!strlen(output)) audit(AUDIT_HOST_NOT, 'affected'); credentials = make_array(); foreach line (split(output, sep:'\n', keep:FALSE)) { # this might be asking for trouble because it's unclear how the logger handles things like passwords with ', ' # in them. at worst, all that should happen is the last character of the password will be reported incorrectly logdata = strstr(line, ' | about to call '); fields = split(logdata, sep:', ', keep:FALSE); user = NULL; pass = NULL; foreach field (fields) { usermatch = eregmatch(string:field, pattern:'name = (.+)'); if (isnull(usermatch)) usermatch = eregmatch(string:field, pattern:'= /Users/([^/]+)'); if (!isnull(usermatch)) user = usermatch[1]; passmatch = eregmatch(string:field, pattern:'password(AsUTF8String)? = (.+)'); if (!isnull(passmatch)) { pass = passmatch[2]; pass = pass[0] + '******' + pass[strlen(pass) - 1]; } } if (!isnull(user) && !isnull(pass)) credentials[user] = pass; } if (max_index(keys(credentials)) == 0) audit(AUDIT_HOST_NOT, 'affected'); report = '\nNessus discovered plaintext passwords by running the following command :\n\n' + cmd + '\n' + '\nThe following usernames and passwords were extracted (note' + '\nthat any passwords displayed have been partially obfuscated) :\n'; foreach user (sort(keys(credentials))) { report += '\n Username : ' + user + '\n Password : ' + credentials[user] + '\n'; } security_note(port:0, extra:report);NASL family MacOS X Local Security Checks NASL id MACOSX_10_7_5.NASL description The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.5. The newer version contains multiple security-related fixes for the following components : - Apache - BIND - CoreText - Data Security - ImageIO - Installer - International Components for Unicode - Kernel - Mail - PHP - Profile Manager - QuickLook - QuickTime - Ruby - USB last seen 2020-06-01 modified 2020-06-02 plugin id 62214 published 2012-09-20 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62214 title Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(62214); script_version("1.23"); script_cvs_date("Date: 2018/07/16 12:48:31"); script_cve_id( "CVE-2011-3026", "CVE-2011-3048", "CVE-2011-3368", "CVE-2011-3389", "CVE-2011-3607", "CVE-2011-4313", "CVE-2011-4317", "CVE-2011-4599", "CVE-2012-0021", "CVE-2012-0031", "CVE-2012-0053", "CVE-2012-0643", "CVE-2012-0652", "CVE-2012-0668", "CVE-2012-0670", "CVE-2012-0671", "CVE-2012-0831", "CVE-2012-1172", "CVE-2012-1173", "CVE-2012-1667", "CVE-2012-1823", "CVE-2012-2143", "CVE-2012-2311", "CVE-2012-2386", "CVE-2012-2688", "CVE-2012-3716", "CVE-2012-3719", "CVE-2012-3721", "CVE-2012-3722", "CVE-2012-3723" ); script_bugtraq_id( 47545, 49778, 49957, 50494, 50690, 50802, 51006, 51407, 51705, 51706, 51954, 52049, 52364, 52830, 52891, 53388, 53403, 53445, 53457, 53579, 53582, 53584, 53729, 53772, 54638, 56241, 56244, 56246, 56247 ); script_xref(name:"CERT", value:"864643"); script_name(english:"Mac OS X 10.7.x < 10.7.5 Multiple Vulnerabilities (BEAST)"); script_summary(english:"Check the version of Mac OS X."); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes multiple security vulnerabilities." ); script_set_attribute( attribute:"description", value: "The remote host is running a version of Mac OS X 10.7.x that is prior to 10.7.5. The newer version contains multiple security-related fixes for the following components : - Apache - BIND - CoreText - Data Security - ImageIO - Installer - International Components for Unicode - Kernel - Mail - PHP - Profile Manager - QuickLook - QuickTime - Ruby - USB" ); script_set_attribute(attribute:"see_also", value:"http://seclists.org/bugtraq/2012/Sep/94"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT5501"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html"); script_set_attribute(attribute:"see_also", value:"https://www.imperialviolet.org/2011/09/23/chromeandbeast.html"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/~bodo/tls-cbc.txt"); script_set_attribute(attribute:"solution", value:"Upgrade to Mac OS X 10.7.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'PHP CGI Argument Injection'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/07/15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/20"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); if (ereg(pattern:"Mac OS X 10\.7($|\.[0-4]([^0-9]|$))", string:os)) security_hole(0); else exit(0, "The host is not affected as it is running "+os+".");
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 53457 CVE ID: CVE-2012-0652 OS X Lion Server 内含一组应用软件,可将任意一台Mac 变成功能强大的服务器。Mac OS是一套运行于苹果的Macintosh系列电脑上的操作系统。 Apple Mac OS X在实现上存在本地安全限制绕过漏洞,攻击者可利用此漏洞绕过某些安全限制并获取敏感账户信息。 0 Apple Mac OS X 10.7.x Apple MacOS X Server 10.7.x 厂商补丁: Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://support.apple.com/ |
| id | SSV:60128 |
| last seen | 2017-11-19 |
| modified | 2012-05-15 |
| published | 2012-05-15 |
| reporter | Root |
| title | Apple Mac OS X本地安全限制绕过漏洞 |
References
- http://lists.apple.com/archives/security-announce/2012/May/msg00001.html
- http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html
- http://support.apple.com/kb/HT5281
- http://support.apple.com/kb/HT5501
- http://www.securityfocus.com/bid/53445
- http://www.securityfocus.com/bid/53457
- http://www.securitytracker.com/id?1027024