|
|
|
Vulnerability:
|
|
|
|
T1169 references a vulnerability on Linux devices where an attacker can gain root user access by removing the need for admin password inputs when using SUDO.
|
|
|
|
|
|
|
|
Mitigation:
|
|
|
|
SUDOers file should be made to require passwords no matter what, rendering the line of code used [user1 ALL=(ALL) NOPASSWD: ALL] to create this vulnerability useless.
|
|
|
|
|
|
|
|
|
|
|
|
Description and Implementation:
|
|
|
|
This vulnerability was leveraged in the OSX.Dok malware, detected in early 2017. This malware would be emailed in a zipped file through phishing attacks. When unzipped, the file would spoof a preview icon in MAC OS, baiting users to launch it.
|
|
|
|
|
|
|
|
Once launched, the program will run as "AppStore", and lock the users into a full screen page that prompts them to "Update your OS X". Upon clicking the "update all" button, the user will be prompted for credentials. These credentials then are used to disable the password requirement for SUDO, prompting the malware to begin installing other programs necessary for pulling data from the machine. It will also create a certificate to impersonate any website it wishes, creating even more potential for the user to damage the security of his/her machine.
|
|
|
|
|
|
|
|
Removal:
|
|
|
|
Removal is relatively easy. There are two 'LaunchAgent' files that need to be deleted. The certificate (COMODO RSA Extended Validation Secure Server CA 2), if it was added, should also be removed. The difficult part is cleaning up the changes that the malware may have made to the configuration of the device.
|
|
|
|
|
