Skip to main content

Raymii.org Raymii.org Logo

Quis custodiet ipsos custodes?
Home | About | All pages | Cluster Status | RSS Feed

OS X - Applescript to lock date and time preference panel to fix local sudo exploit

Published: 02-09-2013 | Author: Remy van Elst | Text only version of this article


❗ This post is over eleven years old. It may no longer be up to date. Opinions may have changed.

This applescript locks the OS X Date and Time Preference Panel. It can be run via Apple Remote Desktop. This is related to CVE-2013-1775, a local sudo root exploit on OS X. If the date and time preference panel is locked, setting the date and time also requires a sudo password.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

To exploit the bug you have to be in an administrative group and you have to have used sudo before. OS X by default does not require extra authentication to set the date for administrative users. Limited users are not able to do this.

When a user successfully authenticates with sudo, a time stamp
file is updated to allow that user to continue running sudo
without requiring a password for a preset time period (five
minutes by default).  The user's time stamp file can be reset
using "sudo -k" or removed altogether via "sudo -K".

A user who has sudo access and is able to control the local
clock (common in desktop environments) can run a command via
sudo without authenticating as long as they have previously
authenticated themselves at least once by running "sudo -k" and
then setting the clock to the epoch (1970-01-01 01:00:00).

The vulnerability does not permit a user to run commands other
than those allowed by the sudoers policy.

Source

This script locks the date and time panel. When that is done, OS X requires a password to change the date and time. It is an applescript, it checks if the panel is locked or unlocked and if it is unlocked it locks it. It can also be run via Apple Remote Desktop.

The Applescript:

-- By R. van Elst
-- License: GNU GPL v3 
quit application "System Preferences"
quit application "System Preferences"

tell application "System Preferences"
    activate
    set current pane to pane id "com.apple.preference.datetime"
end tell


tell application "System Events" to set frontmost of process "System Preferences" to true
tell application "System Events"
    tell process "System Preferences"
        tell window 1
            --set titlell to title of button 4
            --display dialog titlell
            if title of button 4 is "Click the lock to prevent further changes." then
                click button 4
            end if
        end tell
    end tell
end tell
quit application "System Preferences"

To run this via Apple Remote Desktop, select a machine and the run a UNIX command on it. Make sure it runs as the currently logged in console user. Paste this command in there:

osascript << endofSCRIPT

quit application "System Preferences"
quit application "System Preferences"

tell application "System Preferences"
    activate
    set current pane to pane id "com.apple.preference.datetime"
end tell


tell application "System Events" to set frontmost of process "System Preferences" to true
tell application "System Events"
    tell process "System Preferences"
        tell window 1
            --set titlell to title of button 4
            --display dialog titlell
            if title of button 4 is "Click the lock to prevent further changes." then
                click button 4
            end if
        end tell
    end tell
end tell
quit application "System Preferences"

endofSCRIPT

This also works when the machine is locked. **You do need to enable access for assistive devices. Click this link to see how to do that via the command line

Another option is to configure sudo to ask for a password every time. Edit /etc/sudoers and add the following:

Defaults timestamp_timeout=0 

Thanks to Miles from TinyApps.org for the tip!

Tags: apple , apple-remote-desktop , ard , command-line , exploit , mac , os-x , software , sudo