OS X - Applescript to lock date and time preference panel to fix local sudo exploit

02-09-2013 | Remy van Elst


Table of Contents


This applescript locks the OS X Date and Time Preference Panel. It can be run via Apple Remote Desktop. This is related to CVE-2013-1775, a local sudo root exploit on OS X. If the date and time preference panel is locked, setting the date and time also requires a sudo password.

To exploit the bug you have to be in an administrative group and you have to have used sudo before. OS X by default does not require extra authentication to set the date for administrative users. Limited users are not able to do this.

When a user successfully authenticates with sudo, a time stamp
file is updated to allow that user to continue running sudo
without requiring a password for a preset time period (five
minutes by default).  The user's time stamp file can be reset
using "sudo -k" or removed altogether via "sudo -K".

A user who has sudo access and is able to control the local
clock (common in desktop environments) can run a command via
sudo without authenticating as long as they have previously
authenticated themselves at least once by running "sudo -k" and
then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other
than those allowed by the sudoers policy.

Source

This script locks the date and time panel. When that is done, OS X requires a password to change the date and time. It is an applescript, it checks if the panel is locked or unlocked and if it is unlocked it locks it. It can also be run via Apple Remote Desktop.

The Applescript:

-- By R. van Elst
-- License: GNU GPL v3 
quit application "System Preferences"
quit application "System Preferences"

tell application "System Preferences"
    activate
    set current pane to pane id "com.apple.preference.datetime"
end tell


tell application "System Events" to set frontmost of process "System Preferences" to true
tell application "System Events"
    tell process "System Preferences"
        tell window 1
            --set titlell to title of button 4
            --display dialog titlell
            if title of button 4 is "Click the lock to prevent further changes." then
                click button 4
            end if
        end tell
    end tell
end tell
quit application "System Preferences"

To run this via Apple Remote Desktop, select a machine and the run a UNIX command on it. Make sure it runs as the currently logged in console user. Paste this command in there:

osascript << endofSCRIPT

quit application "System Preferences"
quit application "System Preferences"

tell application "System Preferences"
    activate
    set current pane to pane id "com.apple.preference.datetime"
end tell


tell application "System Events" to set frontmost of process "System Preferences" to true
tell application "System Events"
    tell process "System Preferences"
        tell window 1
            --set titlell to title of button 4
            --display dialog titlell
            if title of button 4 is "Click the lock to prevent further changes." then
                click button 4
            end if
        end tell
    end tell
end tell
quit application "System Preferences"

endofSCRIPT

This also works when the machine is locked. **You do need to enable access for assistive devices. Click this link to see how to do that via the command line

Another option is to configure sudo to ask for a password every time. Edit /etc/sudoers and add the following:

Defaults timestamp_timeout=0 

Thanks to Miles from TinyApps.org for the tip!


Tags: apple, apple-remote-desktop, ard, command-line, exploit, mac, os-x, sudo,