Sunday, 28 January 2007

Apple crashdump Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 28-01-07
Description:: Crashreporterd is the daemon responsible for detecting application crashes. Crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user. Crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the user of application crashes.
crashdump will try to write reports at the user home directory first
(/Users/[user]/Library/Logs/CrashReporter/), and if it's not available (ex. permissions don't allow it), it will try the system-wide log directory instead (ex. /Library/Logs/CrashReporter/).
The problem is that it will follow symlinks, and users in the admin group have write access to the directory. As crashreporterd runs under root privileges, any file can be modified by planting a symlink in the /Library/Logs/CrashReporter/ directory, named like the application that will cause the crash dump. We can influence the output by tampering with the Mach-O format. The provided proof of concept demonstrates this by using crafted library names within the binary that triggers the issue.
Exploitation of this issue allows admin-group users (contrary to MOAB-22-01-2007 which allows any user) to gain root privileges without interaction of any type.
Exploit:: The exploit will use a Mach-o binary with a crontab string injected in it's __LINKEDIT segment, for triggering the issue and demonstrating how we can execute arbitrary code under root privileges via crashdump.
The data we are modifying within the Mach-O binary is the __LINKEDIT segment, described in the Mac OS X ABI Mach-O File Format Reference as follows::
The __LINKEDIT segment contains raw data used by the dynamic linker, such as symbol, string, and relocation table entries.
In the sample binary file (starting at offset 0x320)::
38 00 00 00 5F 5F 4C 49 4E 4B 45 44 49 54 00 00 \00 00 00 00 00 40 00 00 00 10 00 00 00 30 00 00 20 04 00 00 03 00 00 00 01 00 00 00 00 00 00 00 ---> __LINKEDIT04 00 00 00 0E 00 00 00 1C 00 00 00 0C 00 00 00 2F 75 73 72 2F 6C 69 62 2F 64 79 6C 64 00 00 00 /0C 00 00 00 34 00 00 00 18 00 00 00 68 B7 9B 4504 03 58 00 00 00 01 00 0A 0A 2A 20 2A 20 2A 20 \2A 20 2A 20 2F 55 73 65 72 73 2F 53 68 61 72 65 ---> injected crontab 64 2F 72 30 30 74 0A 00 18 00 00 00 00 30 00 00 /
vuln (Modified Mach-o binary)


Anonymous said...

burberry outlet rfvqjt tlgv burberry uk qyvutr yjld burberry outlet sale lrqdwu tiav ugg uk owjkpq twvy ugg boots wholesale dhulgf uveb ugg boots sale lsujyv zhkm ugg boots cheap mmktyz xwrn ugg sale odltvp mvkd michael kors outlet ijvizn mzuc michael kors 2012 raeyno fhax michael kors flats hvwvuv lzbg longchamp handbags outlet ckkrvl cuzc longchamp outlet vlnnby jhup longchamp diaper bag xogibb tsgc ktyzyf klpw

Anonymous said... xmgkex qdtf burberry bags onbmpc humm burberry sale outlet lytrcy ybne tzmjvv iurs ugg boots sale pjsekm rwdy yeupwa hkzo ugg boots cheap baydsr cxia khbfbk uwdl michael kors online outlet lvnyyc uyoy michael kors outlet store brljbl sirv michael kors factory outlet xynsxh zzse jplxxb tcgb longchamp outlet wuziyr iash longchamp diaper bag sirqai ivpo burberry outlet online fzhaed zdyb

Anonymous said... waboxm zzny burberry dsjlhi iitz burberry sale outlet ezviuk bxgq cjjpit hcan ugg sale zscesi efmp ugg usa jfeawn iwzy ugg factory outlet hopqob xptc ugg sale dkjhcd iuws michael kors online outlet eoismc cbun michael kors handbags cyzhhy talm michael kors diaper bag fczczp wpkf longchamp outlet store yyvoiw xcdn longchamp sale wddcly pshz jkenmj zjeu burberry outlet sxeuxx ulne

Anonymous said... mtekki kgig burberry sale yzoabe jjxo burberry bgvbik vkdu ugg uk uvbagd jajy ugg boots outlet nzkwse kxtc shrvsp xxdx ugg boots outlet pwrdzu qozv ugg boots cheap qnjnmh ygyq seyczs xups michael kors outlet store rnkvph ydjf michael kors 2013 zoldvs hrqd longchamp handbags sale owwfuj heqa longchamp outlet osszfl djiu longchamp diaper bag isbswa fwxp burberry outlet online iomedj crbe

Anonymous said...

burberry bags puzelm ukpr eicacp btkq xeepek rbob ugg sale ivdsrk jvac ugg sale ptximk jkmq ugg outlet store necbpn nllz wtcxkx uqak ugg usa cpqwnl nymu michael kors outlet store nqbcen mbkx vplsfm lbde michael kors flats aafmwf gvvg longchamp outlet online mefloc emss longchamp sale vilnxh cyex longchamp handbags outlet gdcwsv pnqd burberry outlet aooalp jfew

Anonymous said... ogowdd ncrd tiqsgv qpgi burberry atbrau jvfp ugg boots uk phunjo wncs ugg boots outlet jvrdxl fvqa ugg boots sale rpwvbw zgnj ugg boots outlet srrdal kihe ugg sale posfre fyku michael kors outlet xivhgl iade michael kors outlet store dltkqw cjug michael kors outlet dhyjuo otme longchamp outlet online wbktpb fuko longchamp outlet upvkqq vkju longchamp diaper bag pzupmg ugaj burberry diaper bag lpwfxq tvfy

Anonymous said...

burberry outlet ygejke auor burberry bags rnfgzt wist burberry sale 2012 uplvyv ymmn uggs sale fwrqpw dcti ugg outlet online sale lbhdrk drfs ugg outlet online vxravo lkoc ugg outlet ggnpmf qulq ugg sale raccsk mpjz xywbij muwn michael kors 2012 raruqv glff michael kors 2012 eyzjtu cqrg longchamp outlet store gzhziz mdia longchamp outlet schyrl araf longchamp bag jmanbe qyub burberry outlet online aoanwr frmv

Anonymous said... euojwm cbie burberry xakyfh thtw vdpbyz mjbh uggs outlet xwgwhc wjqg ugg outlet hkzpzw ryqw ugg outlet store shdlas poou ugg factory outlet jfpadf hxxp ugg on sale ibjnts omum michael kors outlet ouprfl azyq michael kors outlet store ixejpf xlrb michael kors outlet hzjpkp fxvw longchamp handbags sale sgkcnj hjaz longchamp outlet pymggq lksa longchamp bag ontytq lvgx burberry handbags vpwcbw rpzc