Details of VAR-200806-0321

ID

VAR-200806-0321

CVE

CVE-2008-2830

TITLE

Apple Mac OS X of ARDAgent Elevation of privilege vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2008-001596

DESCRIPTION

Open Scripting Architecture in Apple Mac OS X 10.4.11 and 10.5.4, and some other 10.4 and 10.5 versions, does not properly restrict the loading of scripting addition plugins, which allows local users to gain privileges via scripting addition commands to a privileged application, as originally demonstrated by an osascript tell command to ARDAgent. Successful exploits allow local attackers to execute arbitrary code with superuser privileges, completely compromising the affected computer. This issue is confirmed to affect Mac OS X 10.5 versions; earlier versions may also be vulnerable. A local attacker can invoke Mac OS X's ARDAgent via AppleScript (such as osascript). This vulnerability is currently being actively exploited by a Trojan named AppleScript.THT. Once the user is tricked into installing a malicious file with a Trojan horse, the Trojan horse will open file sharing, Web sharing, and remote login. The default file name of the Trojan is AStht_06.app, and the installation location is /Library/Caches. The problem is that "ARDAgent", which is owned by "root" and has the setuid bit set, can be invoked to execute shell commands via AppleScript (e.g. through "osascript"). This can be exploited to execute arbitrary commands with root privileges. SOLUTION: Grant only trusted users access to affected systems. PROVIDED AND/OR DISCOVERED BY: Reported in the Macshadows.com forums and via Slashdot. ORIGINAL ADVISORY: http://www.macshadows.com/forums/index.php?showtopic=8640 http://it.slashdot.org/article.pl?sid=08/06/18/1919224 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.16

sources: NVD: CVE-2008-2830 // JVNDB: JVNDB-2008-001596 // BID: 29831 // VULHUB: VHN-32955 // VULMON: CVE-2008-2830 // PACKETSTORM: 67630

AFFECTED PRODUCTS

vendor:	apple	model:	mac os x	scope:	eq	version:	10.5	Trust: 1.6
vendor:	apple	model:	mac os x	scope:	eq	version:	10.4	Trust: 1.6
vendor:	apple	model:	remote desktop	scope:	eq	version:	3.2.1	Trust: 1.1
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.3 to v10.5.5	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.4.11	Trust: 0.8
vendor:	apple	model:	mac os x	scope:	eq	version:	v10.5.4	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.3 to v10.5.5	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.4.11	Trust: 0.8
vendor:	apple	model:	mac os x server	scope:	eq	version:	v10.5.4	Trust: 0.8
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.11	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.10	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.9	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.8	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.7	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.6	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.5	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.3	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.2	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4.1	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.4	Trust: 0.3
vendor:	apple	model:	mac os server	scope:	eq	version:	x10.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.11	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.10	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.9	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.8	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.7	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.6	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.5	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.3	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.2	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4.1	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.4	Trust: 0.3
vendor:	apple	model:	mac os	scope:	eq	version:	x10.5	Trust: 0.3
vendor:	apple	model:	remote desktop	scope:	ne	version:	3.2.2	Trust: 0.3

sources: BID: 29831 // JVNDB: JVNDB-2008-001596 // CNNVD: CNNVD-200806-319 // NVD: CVE-2008-2830

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-2830
value:	HIGH
Trust: 1.0
NVD:	CVE-2008-2830
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200806-319
value:	HIGH
Trust: 0.6
VULHUB:	VHN-32955
value:	HIGH
Trust: 0.1
VULMON:	CVE-2008-2830
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2008-2830
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-32955
severity:	HIGH
baseScore:	7.2
vectorString:	AV:L/AC:L/AU:N/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	3.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-32955 // VULMON: CVE-2008-2830 // JVNDB: JVNDB-2008-001596 // CNNVD: CNNVD-200806-319 // NVD: CVE-2008-2830

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-32955 // JVNDB: JVNDB-2008-001596 // NVD: CVE-2008-2830

THREAT TYPE

local

Trust: 1.0

sources: BID: 29831 // PACKETSTORM: 67630 // CNNVD: CNNVD-200806-319

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200806-319

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-001596

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-32955 // VULMON: CVE-2008-2830

PATCH

title:	Apple Remote Desktop 3.2.2	url:	http://support.apple.com/kb/HT3145	Trust: 0.8
title:	Security Update 2008-005	url:	http://support.apple.com/kb/HT2647	Trust: 0.8
title:	Security Update 2008-005	url:	http://support.apple.com/kb/HT2647?viewlocale=ja_JP	Trust: 0.8
title:	Apple Remote Desktop 3.2.2	url:	http://support.apple.com/kb/HT3145?viewlocale=ja_JP&locale=ja_JP	Trust: 0.8
title:	rootOS	url:	https://github.com/TH3-HUNT3R/Root-MacOS	Trust: 0.1
title:	rootOS	url:	https://github.com/ruxzy1/rootOS	Trust: 0.1
title:	rootOS	url:	https://github.com/thehappydinoa/rootOS	Trust: 0.1

sources: VULMON: CVE-2008-2830 // JVNDB: JVNDB-2008-001596

EXTERNAL IDS

db:	NVD	id:	CVE-2008-2830	Trust: 2.9
db:	BID	id:	29831	Trust: 2.9
db:	SECUNIA	id:	30776	Trust: 1.9
db:	SECTRACK	id:	1020345	Trust: 1.8
db:	VUPEN	id:	ADV-2008-1905	Trust: 1.8
db:	JVNDB	id:	JVNDB-2008-001596	Trust: 0.8
db:	APPLE	id:	APPLE-SA-2008-09-16	Trust: 0.6
db:	APPLE	id:	APPLE-SA-2008-07-31	Trust: 0.6
db:	XF	id:	43294	Trust: 0.6
db:	CNNVD	id:	CNNVD-200806-319	Trust: 0.6
db:	EXPLOIT-DB	id:	31940	Trust: 0.2
db:	VULHUB	id:	VHN-32955	Trust: 0.1
db:	VULMON	id:	CVE-2008-2830	Trust: 0.1
db:	PACKETSTORM	id:	67630	Trust: 0.1

sources: VULHUB: VHN-32955 // VULMON: CVE-2008-2830 // BID: 29831 // JVNDB: JVNDB-2008-001596 // PACKETSTORM: 67630 // CNNVD: CNNVD-200806-319 // NVD: CVE-2008-2830

REFERENCES

url:	http://www.securityfocus.com/bid/29831	Trust: 2.6
url:	http://it.slashdot.org/it/08/06/18/1919224.shtml	Trust: 2.1
url:	http://lists.apple.com/archives/security-announce//2008/jul/msg00003.html	Trust: 1.8
url:	http://lists.apple.com/archives/security-announce//2008//sep/msg00006.html	Trust: 1.8
url:	http://www.securitytracker.com/id?1020345	Trust: 1.8
url:	http://secunia.com/advisories/30776	Trust: 1.8
url:	http://www.vupen.com/english/advisories/2008/1905/references	Trust: 1.2
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/43294	Trust: 1.2
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-2830	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-2830	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/43294	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2008/1905/references	Trust: 0.6
url:	http://www.securemac.com/applescript-tht-trojan-horse.php	Trust: 0.3
url:	http://software.cisco.com/download/navigator.html?mdfid=283613663	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/264.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	http://tools.cisco.com/security/center/viewalert.x?alertid=16117	Trust: 0.1
url:	https://www.exploit-db.com/exploits/31940/	Trust: 0.1
url:	https://github.com/th3-hunt3r/root-macos	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/30776/	Trust: 0.1
url:	http://secunia.com/product/96/	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://www.macshadows.com/forums/index.php?showtopic=8640	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/secunia_security_specialist/	Trust: 0.1
url:	http://corporate.secunia.com/about_secunia/64/	Trust: 0.1
url:	http://it.slashdot.org/article.pl?sid=08/06/18/1919224	Trust: 0.1

sources: VULHUB: VHN-32955 // VULMON: CVE-2008-2830 // BID: 29831 // JVNDB: JVNDB-2008-001596 // PACKETSTORM: 67630 // CNNVD: CNNVD-200806-319 // NVD: CVE-2008-2830

CREDITS

http://slashdot.org/

Trust: 0.6

sources: CNNVD: CNNVD-200806-319

SOURCES

db:	VULHUB	id:	VHN-32955
db:	VULMON	id:	CVE-2008-2830
db:	BID	id:	29831
db:	JVNDB	id:	JVNDB-2008-001596
db:	PACKETSTORM	id:	67630
db:	CNNVD	id:	CNNVD-200806-319
db:	NVD	id:	CVE-2008-2830

LAST UPDATE DATE

2025-04-10T21:36:40.533000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-32955	date:	2017-08-08T00:00:00
db:	VULMON	id:	CVE-2008-2830	date:	2017-08-08T00:00:00
db:	BID	id:	29831	date:	2008-09-16T22:40:00
db:	JVNDB	id:	JVNDB-2008-001596	date:	2008-10-01T00:00:00
db:	CNNVD	id:	CNNVD-200806-319	date:	2008-11-19T00:00:00
db:	NVD	id:	CVE-2008-2830	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-32955	date:	2008-06-23T00:00:00
db:	VULMON	id:	CVE-2008-2830	date:	2008-06-23T00:00:00
db:	BID	id:	29831	date:	2008-06-19T00:00:00
db:	JVNDB	id:	JVNDB-2008-001596	date:	2008-09-03T00:00:00
db:	PACKETSTORM	id:	67630	date:	2008-06-24T01:16:55
db:	CNNVD	id:	CNNVD-200806-319	date:	2008-06-23T00:00:00
db:	NVD	id:	CVE-2008-2830	date:	2008-06-23T20:41:00