17 lines
No EOL
1.1 KiB
Text
17 lines
No EOL
1.1 KiB
Text
Source: https://code.google.com/p/google-security-research/issues/detail?id=478
|
|
|
|
The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects
|
|
can be connected to by multiple clients at the same time.
|
|
|
|
By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:]
|
|
in the first and passing a custom object as the directory name we can get a callback to our code just after the
|
|
makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process
|
|
this means that our other proxy object will now have euid 0 without having to provide an authorization reference.
|
|
|
|
In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function
|
|
which will then drop privs.
|
|
|
|
build using the provided makefile and run passing the full path to the localhost shell
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38136.zip |