This is a text-only version of the following page on https://raymii.org: --- Title : OS X - Applescript to lock date and time preference panel to fix local sudo exploit Author : Remy van Elst Date : 02-09-2013 URL : https://raymii.org/s/software/OS-X-Applescript-To-Lock-Date-Time-Settings-Panel-for-Sudo-Exploit.html Format : Markdown/HTML --- This applescript locks the OS X Date and Time Preference Panel. It can be run via Apple Remote Desktop. This is related to [CVE-2013-1775][1], a local sudo root exploit on OS X. If the date and time preference panel is locked, setting the date and time also requires a sudo password.

Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:

I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!

Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.

You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!

To exploit the bug you have to be in an administrative group and you have to have used sudo before. OS X by default does not require extra authentication to set the date for administrative users. Limited users are not able to do this. When a user successfully authenticates with sudo, a time stamp file is updated to allow that user to continue running sudo without requiring a password for a preset time period (five minutes by default). The user's time stamp file can be reset using "sudo -k" or removed altogether via "sudo -K". A user who has sudo access and is able to control the local clock (common in desktop environments) can run a command via sudo without authenticating as long as they have previously authenticated themselves at least once by running "sudo -k" and then setting the clock to the epoch (1970-01-01 01:00:00). The vulnerability does not permit a user to run commands other than those allowed by the sudoers policy. [Source][3] This script locks the date and time panel. When that is done, OS X requires a password to change the date and time. It is an applescript, it checks if the panel is locked or unlocked and if it is unlocked it locks it. It can also be run via Apple Remote Desktop. The Applescript: -- By R. van Elst -- License: GNU GPL v3 quit application "System Preferences" quit application "System Preferences" tell application "System Preferences" activate set current pane to pane id "com.apple.preference.datetime" end tell tell application "System Events" to set frontmost of process "System Preferences" to true tell application "System Events" tell process "System Preferences" tell window 1 --set titlell to title of button 4 --display dialog titlell if title of button 4 is "Click the lock to prevent further changes." then click button 4 end if end tell end tell end tell quit application "System Preferences" To run this via Apple Remote Desktop, select a machine and the run a UNIX command on it. Make sure it runs as the currently logged in console user. Paste this command in there: osascript << endofSCRIPT quit application "System Preferences" quit application "System Preferences" tell application "System Preferences" activate set current pane to pane id "com.apple.preference.datetime" end tell tell application "System Events" to set frontmost of process "System Preferences" to true tell application "System Events" tell process "System Preferences" tell window 1 --set titlell to title of button 4 --display dialog titlell if title of button 4 is "Click the lock to prevent further changes." then click button 4 end if end tell end tell end tell quit application "System Preferences" endofSCRIPT This also works when the machine is locked. **[You do need to enable access for assistive devices. Click this link to see how to do that via the command line][4] Another option is to configure sudo to ask for a password every time. Edit `/etc/sudoers` and add the following: Defaults timestamp_timeout=0 Thanks to [Miles from TinyApps.org for the tip!][5] [1]: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1775 [2]: https://www.digitalocean.com/?refcode=7435ae6b8212 [3]: http://seclists.org/oss-sec/2013/q1/489 [4]: https://raymii.org/s/snippets/OS-X-Enable-Access-for-assistive-devices-via-command-line.html [5]: http://tinyapps.org/ --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.