This is a text-only version of the following page on https://raymii.org:
---
Title       : 	OS X - Applescript to lock date and time preference panel to fix local sudo exploit
Author      : 	Remy van Elst
Date        : 	02-09-2013
URL         : 	https://raymii.org/s/software/OS-X-Applescript-To-Lock-Date-Time-Settings-Panel-for-Sudo-Exploit.html
Format      : 	Markdown/HTML
---



This applescript locks the OS X Date and Time Preference Panel. It can be run
via Apple Remote Desktop. This is related to [CVE-2013-1775][1], a local sudo
root exploit on OS X. If the date and time preference panel is locked, setting
the date and time also requires a sudo password.

<p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called  Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p>


To exploit the bug you have to be in an administrative group and you have to
have used sudo before. OS X by default does not require extra authentication to
set the date for administrative users. Limited users are not able to do this.

    
    
    When a user successfully authenticates with sudo, a time stamp
    file is updated to allow that user to continue running sudo
    without requiring a password for a preset time period (five
    minutes by default).  The user's time stamp file can be reset
    using "sudo -k" or removed altogether via "sudo -K".
    
    A user who has sudo access and is able to control the local
    clock (common in desktop environments) can run a command via
    sudo without authenticating as long as they have previously
    authenticated themselves at least once by running "sudo -k" and
    then setting the clock to the epoch (1970-01-01 01:00:00).
    
    The vulnerability does not permit a user to run commands other
    than those allowed by the sudoers policy.
    

[Source][3]

This script locks the date and time panel. When that is done, OS X requires a
password to change the date and time. It is an applescript, it checks if the
panel is locked or unlocked and if it is unlocked it locks it. It can also be
run via Apple Remote Desktop.

The Applescript:

    
    
    -- By R. van Elst
    -- License: GNU GPL v3 
    quit application "System Preferences"
    quit application "System Preferences"
    
    tell application "System Preferences"
        activate
        set current pane to pane id "com.apple.preference.datetime"
    end tell
    
    
    tell application "System Events" to set frontmost of process "System Preferences" to true
    tell application "System Events"
        tell process "System Preferences"
            tell window 1
                --set titlell to title of button 4
                --display dialog titlell
                if title of button 4 is "Click the lock to prevent further changes." then
                    click button 4
                end if
            end tell
        end tell
    end tell
    quit application "System Preferences"
    

To run this via Apple Remote Desktop, select a machine and the run a UNIX
command on it. Make sure it runs as the currently logged in console user. Paste
this command in there:

    
    
    osascript << endofSCRIPT
    
    quit application "System Preferences"
    quit application "System Preferences"
    
    tell application "System Preferences"
        activate
        set current pane to pane id "com.apple.preference.datetime"
    end tell
    
    
    tell application "System Events" to set frontmost of process "System Preferences" to true
    tell application "System Events"
        tell process "System Preferences"
            tell window 1
                --set titlell to title of button 4
                --display dialog titlell
                if title of button 4 is "Click the lock to prevent further changes." then
                    click button 4
                end if
            end tell
        end tell
    end tell
    quit application "System Preferences"
    
    endofSCRIPT
    

This also works when the machine is locked. **[You do need to enable access for
assistive devices. Click this link to see how to do that via the command
line][4]

Another option is to configure sudo to ask for a password every time. Edit
`/etc/sudoers` and add the following:

    
    
    Defaults timestamp_timeout=0 
    

Thanks to [Miles from TinyApps.org for the tip!][5]

   [1]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1775
   [2]: https://www.digitalocean.com/?refcode=7435ae6b8212
   [3]: http://seclists.org/oss-sec/2013/q1/489
   [4]: https://raymii.org/s/snippets/OS-X-Enable-Access-for-assistive-devices-via-command-line.html
   [5]: http://tinyapps.org/

---

License:
All the text on this website is free as in freedom unless stated otherwise. 
This means you can use it in any way you want, you can copy it, change it 
the way you like and republish it, as long as you release the (modified) 
content under the same license to give others the same freedoms you've got 
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for 
advertisements. You are tracked and Google knows everything about you. 
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license 
unless already licensed under a license which does not allows this form 
of licensing or if another license is stated on that page / in that software:

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational 
purposes and you use it at your own risk. I do not take responsibility if you 
screw something up. Use common sense, do not 'rm -rf /' as root for example. 
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.