This is a text-only version of the following page on https://raymii.org:
---
Title : OS X - Applescript to lock date and time preference panel to fix local sudo exploit
Author : Remy van Elst
Date : 02-09-2013
URL : https://raymii.org/s/software/OS-X-Applescript-To-Lock-Date-Time-Settings-Panel-for-Sudo-Exploit.html
Format : Markdown/HTML
---
This applescript locks the OS X Date and Time Preference Panel. It can be run
via Apple Remote Desktop. This is related to [CVE-2013-1775][1], a local sudo
root exploit on OS X. If the date and time preference panel is locked, setting
the date and time also requires a sudo password.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:
I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!
Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.
You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!
To exploit the bug you have to be in an administrative group and you have to
have used sudo before. OS X by default does not require extra authentication to
set the date for administrative users. Limited users are not able to do this.
When a user successfully authenticates with sudo, a time stamp
file is updated to allow that user to continue running sudo
without requiring a password for a preset time period (five
minutes by default). The user's time stamp file can be reset
using "sudo -k" or removed altogether via "sudo -K".
A user who has sudo access and is able to control the local
clock (common in desktop environments) can run a command via
sudo without authenticating as long as they have previously
authenticated themselves at least once by running "sudo -k" and
then setting the clock to the epoch (1970-01-01 01:00:00).
The vulnerability does not permit a user to run commands other
than those allowed by the sudoers policy.
[Source][3]
This script locks the date and time panel. When that is done, OS X requires a
password to change the date and time. It is an applescript, it checks if the
panel is locked or unlocked and if it is unlocked it locks it. It can also be
run via Apple Remote Desktop.
The Applescript:
-- By R. van Elst
-- License: GNU GPL v3
quit application "System Preferences"
quit application "System Preferences"
tell application "System Preferences"
activate
set current pane to pane id "com.apple.preference.datetime"
end tell
tell application "System Events" to set frontmost of process "System Preferences" to true
tell application "System Events"
tell process "System Preferences"
tell window 1
--set titlell to title of button 4
--display dialog titlell
if title of button 4 is "Click the lock to prevent further changes." then
click button 4
end if
end tell
end tell
end tell
quit application "System Preferences"
To run this via Apple Remote Desktop, select a machine and the run a UNIX
command on it. Make sure it runs as the currently logged in console user. Paste
this command in there:
osascript << endofSCRIPT
quit application "System Preferences"
quit application "System Preferences"
tell application "System Preferences"
activate
set current pane to pane id "com.apple.preference.datetime"
end tell
tell application "System Events" to set frontmost of process "System Preferences" to true
tell application "System Events"
tell process "System Preferences"
tell window 1
--set titlell to title of button 4
--display dialog titlell
if title of button 4 is "Click the lock to prevent further changes." then
click button 4
end if
end tell
end tell
end tell
quit application "System Preferences"
endofSCRIPT
This also works when the machine is locked. **[You do need to enable access for
assistive devices. Click this link to see how to do that via the command
line][4]
Another option is to configure sudo to ask for a password every time. Edit
`/etc/sudoers` and add the following:
Defaults timestamp_timeout=0
Thanks to [Miles from TinyApps.org for the tip!][5]
[1]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1775
[2]: https://www.digitalocean.com/?refcode=7435ae6b8212
[3]: http://seclists.org/oss-sec/2013/q1/489
[4]: https://raymii.org/s/snippets/OS-X-Enable-Access-for-assistive-devices-via-command-line.html
[5]: http://tinyapps.org/
---
License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.
This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.
All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see .
Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.
See https://raymii.org/s/static/About.html for details.