lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 06 Dec 2017 08:32:48 +0000
From: "Mark Wadham" <>
Subject: [FD] macOS High Sierra 10.13.1 insecure cron system

Recently I was working on an security issue in some other software that 
has yet
to be disclosed which created a rather interesting condition. As a 
user I was able to write to any file on the system that was not 
but the resulting file would not be root-owned, even if it previously 

This presented an interesting challenge for privilege escalation - how 
would you
exploit this to obtain root access? The obvious first attempt was the 
file but sudo is smart enough not to process it if the file isn't 
root-owned so
that didn't work.

I then discovered (after a tip from a friend - thanks pndc!) that the 
system in macOS does not care who the crontab files are owned by. 
Getting root
was a simple case of creating a crontab file at:


with a 60-second cron line, eg:

* * * * * chown root:wheel /tmp/payload && chmod 4755 /tmp/payload

and then waiting for it to execute. It's not clear if this is a 
issue or a hangover from the BSD-inherited cron system, I suspect the 

The issue has been reported to Apple so hopefully they will fix it.


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists