Vulnerabilities > CVE-2019-8513 - OS Command Injection vulnerability in Apple mac OS X
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
This issue was addressed with improved checks. This issue is fixed in macOS Mojave 10.14.4. A local user may be able to execute arbitrary shell commands.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Command Delimiters An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or a blacklist input validation, as opposed to whitelist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or blacklist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
- Exploiting Multiple Input Interpretation Layers An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
- Argument Injection An attacker changes the behavior or state of a targeted application through injecting data or command syntax through the targets use of non-validated and non-filtered arguments of exposed services or methods.
- OS Command Injection In this type of an attack, an adversary injects operating system commands into existing application functions. An application that uses untrusted input to build command strings is vulnerable. An adversary can leverage OS command injection in an application to elevate privileges, execute arbitrary commands and compromise the underlying operating system.
Exploit-Db
id | EDB-ID:47070 |
last seen | 2019-07-02 |
modified | 2019-07-02 |
published | 2019-07-02 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/47070 |
title | Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit) |
Metasploit
description | This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label. The tmdiagnose binary uses awk to list every mounted volume, and composes shell commands based on the volume labels. By creating a volume label with the backtick character, we can have our own binary executed with root priviledges. |
id | MSF:EXPLOIT/OSX/LOCAL/TIMEMACHINE_CMD_INJECTION |
last seen | 2020-06-12 |
modified | 2019-04-26 |
published | 2019-04-14 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/local/timemachine_cmd_injection.rb |
title | Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation |
Nessus
NASL family MacOS X Local Security Checks NASL id MACOS_10_14_4.NASL description The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.4. It is, therefore, affected by multiple vulnerabilities, including: - Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges. (CVE-2019-8508) - An application may be able to execute arbitrary code with kernel privileges. (CVE-2019-8529) - A malicious application may be able to execute arbitrary code with system privileges (CVE-2019-8549) last seen 2020-06-01 modified 2020-06-02 plugin id 123128 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123128 title macOS 10.14.x < 10.14.4 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(123128); script_version("1.7"); script_cvs_date("Date: 2020/01/31"); script_cve_id( "CVE-2018-12015", "CVE-2018-18311", "CVE-2018-18313", "CVE-2019-6207", "CVE-2019-6237", "CVE-2019-6239", "CVE-2019-7293", "CVE-2019-8502", "CVE-2019-8504", "CVE-2019-8507", "CVE-2019-8508", "CVE-2019-8510", "CVE-2019-8511", "CVE-2019-8513", "CVE-2019-8514", "CVE-2019-8516", "CVE-2019-8517", "CVE-2019-8519", "CVE-2019-8520", "CVE-2019-8521", "CVE-2019-8522", "CVE-2019-8526", "CVE-2019-8527", "CVE-2019-8529", "CVE-2019-8530", "CVE-2019-8533", "CVE-2019-8537", "CVE-2019-8540", "CVE-2019-8542", "CVE-2019-8545", "CVE-2019-8546", "CVE-2019-8549", "CVE-2019-8550", "CVE-2019-8552", "CVE-2019-8555", "CVE-2019-8561", "CVE-2019-8565" ); script_bugtraq_id(104423, 106072, 106145); script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-3-25-2"); script_name(english:"macOS 10.14.x < 10.14.4 Multiple Vulnerabilities"); script_summary(english:"Checks the version of Mac OS X / macOS."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS update that fixes multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running a version of macOS / Mac OS X that is 10.14.x prior to 10.14.4. It is, therefore, affected by multiple vulnerabilities, including: - Mounting a maliciously crafted NFS network share may lead to arbitrary code execution with system privileges. (CVE-2019-8508) - An application may be able to execute arbitrary code with kernel privileges. (CVE-2019-8529) - A malicious application may be able to execute arbitrary code with system privileges (CVE-2019-8549)"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT209600"); # https://lists.apple.com/archives/security-announce/2019/Mar/msg00001.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?71533e9d"); script_set_attribute(attribute:"solution", value: "Upgrade to macOS version 10.14.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8527"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mac OS X Feedback Assistant Race Condition'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl", "os_fingerprint.nasl"); script_require_ports("Host/MacOSX/Version", "Host/OS"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); fix = "10.14.4"; minver = "10.14"; os = get_kb_item("Host/MacOSX/Version"); if (!os) { os = get_kb_item_or_exit("Host/OS"); if ("Mac OS X" >!< os) audit(AUDIT_OS_NOT, "macOS / Mac OS X"); c = get_kb_item("Host/OS/Confidence"); if (c <= 70) exit(1, "Can't determine the host's OS with sufficient confidence."); } if (!os) audit(AUDIT_OS_NOT, "macOS / Mac OS X"); matches = pregmatch(pattern:"Mac OS X ([0-9]+(\.[0-9]+)+)", string:os); if (empty_or_null(matches)) exit(1, "Failed to parse the macOS / Mac OS X version ('" + os + "')."); version = matches[1]; if (ver_compare(ver:version, minver:minver, fix:fix, strict:FALSE) == -1) { security_report_v4( port:0, severity:SECURITY_HOLE, extra: '\n Installed version : ' + version + '\n Fixed version : ' + fix + '\n' ); } else audit(AUDIT_INST_VER_NOT_VULN, "macOS / Mac OS X", version);
NASL family MacOS X Local Security Checks NASL id MACOS_SECUPD_10_13_6_2019-002.NASL description The remote host is running macOS 10.13.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities including: - An application may be able to execute arbitrary code with kernel privileges. (CVE-2019-8529) - A local user may be able to read kernel memory. (CVE-2019-8504) - A malicious application may be able to determine kernel memory layout. (CVE-2019-6207, CVE-2019-8510) - 802.1X - DiskArbitration - Feedback Assistant - IOKit - IOKit SCSI - Kernel - PackageKit - Perl - Security - Time Machine - Wi-Fi last seen 2020-03-18 modified 2019-03-27 plugin id 123130 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123130 title macOS 10.13.6 Multiple Vulnerabilities (Security Update 2019-002) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(123130); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13"); script_cve_id( "CVE-2018-12015", "CVE-2018-18311", "CVE-2018-18313", "CVE-2019-6207", "CVE-2019-8504", "CVE-2019-8510", "CVE-2019-8513", "CVE-2019-8520", "CVE-2019-8521", "CVE-2019-8522", "CVE-2019-8526", "CVE-2019-8527", "CVE-2019-8529", "CVE-2019-8555", "CVE-2019-8561", "CVE-2019-8564" ); script_bugtraq_id(104423, 106072, 106145); script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-3-25-2"); script_name(english:"macOS 10.13.6 Multiple Vulnerabilities (Security Update 2019-002)"); script_summary(english:"Checks for the presence of Security Update 2019-002 (APPLE-SA-2019-3-25-2)"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS security update that fixes multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running macOS 10.13.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities including: - An application may be able to execute arbitrary code with kernel privileges. (CVE-2019-8529) - A local user may be able to read kernel memory. (CVE-2019-8504) - A malicious application may be able to determine kernel memory layout. (CVE-2019-6207, CVE-2019-8510) - 802.1X - DiskArbitration - Feedback Assistant - IOKit - IOKit SCSI - Kernel - PackageKit - Perl - Security - Time Machine - Wi-Fi"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT209600"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT209635"); # https://lists.apple.com/archives/security-announce/2019/Mar/msg00001.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?71533e9d"); script_set_attribute(attribute:"solution", value: "Install Security Update 2019-002 or later for 10.13.6."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8527"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms"); exit(0); } include('lists.inc'); include('vcf.inc'); include('vcf_extras_apple.inc'); app_info = vcf::apple::macos::get_app_info(); constraints = [ { 'min_version' : '10.13', 'max_version' : '10.13.6', 'fixed_build': '17G6029', 'fixed_display' : '10.13.6 Security Update 2019-002' } ]; vcf::apple::macos::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family MacOS X Local Security Checks NASL id MACOS_SECUPD_10_12_6_2019-002.NASL description The remote host is running Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities including: - A malicious application may be able to execute arbitrary code with kernel privileges. (CVE-2019-8555) - A malicious application may be able to determine kernel memory layout. (CVE-2019-6207, CVE-2019-8510) - A malicious application may be able to read restricted memory. (CVE-2019-8520) - 802.1X - DiskArbitration - Feedback Assistant - IOKit - IOKit SCSI - Kernel - PackageKit - Perl - Security - Time Machine - Wi-Fi last seen 2020-06-01 modified 2020-06-02 plugin id 123129 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123129 title macOS and Mac OS X Multiple Vulnerabilities (Security Update 2019-002) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(123129); script_version("1.8"); script_cvs_date("Date: 2020/01/31"); script_cve_id( "CVE-2018-12015", "CVE-2018-18311", "CVE-2018-18313", "CVE-2019-6207", "CVE-2019-8508", "CVE-2019-8510", "CVE-2019-8513", "CVE-2019-8520", "CVE-2019-8521", "CVE-2019-8522", "CVE-2019-8526", "CVE-2019-8527", "CVE-2019-8530", "CVE-2019-8540", "CVE-2019-8555", "CVE-2019-8561", "CVE-2019-8564" ); script_bugtraq_id(104423, 106072, 106145); script_xref(name:"APPLE-SA", value:"APPLE-SA-2019-3-25-2"); script_name(english:"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2019-002)"); script_summary(english:"Checks for the presence of Security Update 2019-002."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a macOS or Mac OS X security update that fixes multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote host is running Mac OS X 10.12.6 and is missing a security update. It is therefore, affected by multiple vulnerabilities including: - A malicious application may be able to execute arbitrary code with kernel privileges. (CVE-2019-8555) - A malicious application may be able to determine kernel memory layout. (CVE-2019-6207, CVE-2019-8510) - A malicious application may be able to read restricted memory. (CVE-2019-8520) - 802.1X - DiskArbitration - Feedback Assistant - IOKit - IOKit SCSI - Kernel - PackageKit - Perl - Security - Time Machine - Wi-Fi"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT209600"); script_set_attribute(attribute:"see_also", value:"https://support.apple.com/en-us/HT209635"); # https://lists.apple.com/archives/security-announce/2019/Mar/msg00001.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?71533e9d"); script_set_attribute(attribute:"solution", value: "Install Security Update 2019-002 or later for 10.12.x."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-8527"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:macos"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "Host/MacOSX/packages/boms"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Compare 2 patch numbers to determine if patch requirements are satisfied. # Return true if this patch or a later patch is applied # Return false otherwise function check_patch(year, number) { local_var p_split = split(patch, sep:"-"); local_var p_year = int( p_split[0]); local_var p_num = int( p_split[1]); if (year > p_year) return TRUE; else if (year < p_year) return FALSE; else if (number >= p_num) return TRUE; else return FALSE; } get_kb_item_or_exit("Host/local_checks_enabled"); os = get_kb_item_or_exit("Host/MacOSX/Version"); if (!preg(pattern:"Mac OS X 10\.12\.6([^0-9]|$)", string:os)) audit(AUDIT_OS_NOT, "Mac OS X 10.12.6"); patch = "2019-002"; packages = get_kb_item_or_exit("Host/MacOSX/packages/boms", exit_code:1); sec_boms_report = pgrep( pattern:"^com\.apple\.pkg\.update\.(security\.|os\.SecUpd).*bom$", string:packages ); sec_boms = split(sec_boms_report, sep:'\n'); foreach package (sec_boms) { # Grab patch year and number matches = pregmatch(pattern:"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]", string:package); if (empty_or_null(matches)) continue; if (empty_or_null(matches[1]) || empty_or_null(matches[2])) continue; patch_found = check_patch(year:int(matches[1]), number:int(matches[2])); if (patch_found) exit(0, "The host has Security Update " + patch + " or later installed and is therefore not affected."); } report = '\n Missing security update : ' + patch; report += '\n Installed security BOMs : '; if (sec_boms_report) report += str_replace(find:'\n', replace:'\n ', string:sec_boms_report); else report += 'n/a'; report += '\n'; security_report_v4(port:0, severity:SECURITY_HOLE, extra:report);
Packetstorm
data source | https://packetstormsecurity.com/files/download/153488/timemachine_cmd_injection.rb.txt |
id | PACKETSTORM:153488 |
last seen | 2019-07-03 |
published | 2019-07-01 |
reporter | timwr |
source | https://packetstormsecurity.com/files/153488/Mac-OS-X-TimeMachine-tmdiagnose-Command-Injection-Privilege-Escalation.html |
title | Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation |