Menu Close

SQL Update Statement to Address CVE-2024-27301

| Dan K. Snelson

Appears that this vulnerability may does exist everywhere the shebang #!/bin/zsh is being used sans --no-rcs

Author’s Note: Speed trumps quality for this post and — as always — its price is at least worth what you paid.

Background

While the description for CVE-2024-27301 accurately references Jordy Witteman’s macOS Support App, the vulnerability may appears to exist everywhere the shebang #!/bin/zsh is being used sans --no-rcs.

Support App is an opensource application specialized in managing Apple devices.

It’s possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as root.

The cause of the vulnerability is the fact that the shebang #!/bin/zsh is being used.

When the installer is executed it asks for the users password to be executed as root. However, it’ll still be using the $HOME of the user and therefore loading the file $HOME/.zshenv when the postinstall script is executed.

An attacker [— or your co-worker whose account is a Standard User —] could add malicious code to $HOME/.zshenv and it will be executed when the app is installed.

An attacker [— or your co-worker who isn’t an admin —] may leverage this vulnerability to escalate privilege on the system.

This issue has been addressed in version [2.5.2]. All users are advised to upgrade.

There are no known workarounds for this vulnerability.

SQL Update Statement

(Please ensure you have a known-working database backup before proceeding.)

Scripts

The following SQL UPDATE statement will find-and-replace #!/bin/zsh with #!/bin/zsh --no-rcs in scripts you’ve manually added to Jamf Pro.

/*
Find scripts which include the shebang #!/bin/zsh
*/

SELECT script_id,file_name,LEFT(script_contents, 20)
FROM scripts
WHERE script_contents LIKE '%/bin/zsh%';



/*
Carefully review results to confirm '--no-rcs' has NOT already been added to '#!/bin/zsh'
*/



/*
Replace '/bin/zsh' with '/bin/zsh --no-rcs' (DON'T EXECUTE MORE THAN ONCE!)
*/

UPDATE scripts
SET
script_contents = REPLACE(script_contents,
'/bin/zsh',
'/bin/zsh --no-rcs')
WHERE script_contents LIKE '%/bin/zsh%';



/*
Double-check your work
*/

SELECT script_id,file_name,LEFT(script_contents, 20)
FROM scripts
WHERE script_contents LIKE '%/bin/zsh%';


/*
Correct any LaunchDaemons
*/

SELECT script_id,file_name,LEFT(script_contents, 20)
FROM scripts
WHERE script_contents LIKE '%<string>/bin/zsh --no-rcs</string>%';

UPDATE scripts
SET
script_contents = REPLACE(script_contents,
'<string>/bin/zsh --no-rcs</string>',
'<string>/bin/zsh</string>')
WHERE script_contents LIKE '%<string>/bin/zsh --no-rcs</string>%';

Extension Attributes

The following SQL UPDATE statement will find-and-replace #!/bin/zsh with #!/bin/zsh --no-rcs in Extension Attributes you’ve manually added to Jamf Pro.

/*
Find Extension Attributes which include the shebang #!/bin/zsh
*/

SELECT extension_attribute_id,display_name,LEFT(script_contents_mac, 20)
FROM extension_attributes
WHERE script_contents_mac LIKE '%/bin/zsh%';



/*
Carefully review results to confirm '--no-rcs' has NOT already been added to '#!/bin/zsh'
*/



/*
Replace '/bin/zsh' with '/bin/zsh --no-rcs' (DON'T EXECUTE MORE THAN ONCE!)
*/

UPDATE extension_attributes
SET
script_contents_mac = REPLACE(script_contents_mac,
'/bin/zsh',
'/bin/zsh --no-rcs')
WHERE script_contents_mac LIKE '%/bin/zsh%';



/*
Double-check your work
*/

SELECT extension_attribute_id,display_name,LEFT(script_contents_mac, 20)
FROM extension_attributes
WHERE script_contents_mac LIKE '%/bin/zsh%';

Upgrade?

The description for CVE-2024-27301 includes the statement:

All users are advised to upgrade.

However, since the issue is specific to a post-install script, upgrading existing installations to 2.5.2 won’t remediate anything.

In my humble opinion, a more accurate recommendation would be written as:

MacAdmins deploying Support.app are advised to begin deploying version 2.5.2 immediately.

Fear Mongering?

While my “[— or your co-worker who isn’t an admin —]” and “[— or your co-worker whose account is a Standard User —]” may end up being classified as fear mongering, caution is recommended while additional testing is conducted.

Additional Reading

Posted in Jamf Pro, macOS, Scripts, SecOps, SQL, Tips & Tricks
Tagged ,