c35d9b35f7
14 changes to exploits/shellcodes macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement Apple macOS < 10.12.2 / iOS < 10.2 Kernel - ipc_port_t Reference Count Leak Due to Incorrect externalMethod Overrides Use-After-Free Apple macOS 10.12.1 / iOS < 10.2 - powerd Arbitrary Port Replacement Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free Apple macOS 10.12.1 / iOS 10.2 - Kernel Userspace Pointer Memory Corruption Apple macOS 10.12.1 / iOS Kernel - 'IOService::matchPassive' Use-After-Free Apple macOS 10.12.1 / iOS Kernel - 'host_self_trap' Use-After-Free Wireshark 2.4.0 - 2.4.2 / 2.2.0 - 2.2.10 - CIP Safety Dissector Crash Linux Kernel - DCCP Socket Use-After-Free Wireshark 2.4.0 < 2.4.2 / 2.2.0 < 2.2.10 - CIP Safety Dissector Crash Linux Kernel 4.10.5 / < 4.14.3 (Ubuntu) - DCCP Socket Use-After-Free iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free Apple iOS 10.1.1 / macOS 10.12 16A323 XNU Kernel - set_dp_control_port Lack of Locking Use-After-Free macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation Apple macOS < 10.12.2 / iOS < 10.2 - Broken Kernel Mach Port Name uref Handling Privileged Port Name Replacement Privilege Escalation iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation Apple iOS/macOS - 'xpc_data' Objects Sandbox Escape Privilege Escalation macOS High Sierra - Local Privilege Escalation (Metasploit) Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation (Metasploit) Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation LabF nfsAxe FTP Client 3.7 - Buffer Overflow (DEP Bypass) DomainSale PHP Script 1.0 - 'id' SQL Injection Simple Chatting System 1.0.0 - Arbitrary File Upload Website Auction Marketplace 2.0.5 - 'cat_id' SQL Injection Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection FS Thumbtack Clone 1.0 - 'cat' / 'sc' SQL Injection FS Stackoverflow Clone 1.0 - 'keywords' SQL Injection FS Shutterstock Clone 1.0 - 'keywords' SQL Injection FS Quibids Clone 1.0 - SQL Injection FS Olx Clone 1.0 - 'scat' / 'pid' SQL Injection FS Monster Clone 1.0 - 'Employer_Details.php?id' SQL Injection
1.4 KiB
1.4 KiB
Source: https://twitter.com/lemiorhan/status/935578694541770752 & https://forums.developer.apple.com/thread/79235
"Dear @AppleSupport, we noticed a HUGE security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?"
Proof: https://twitter.com/patrickwardle/status/935608904377077761
Mitigation/Detection/Forensic: https://news.ycombinator.com/item?id=15800676
- Can be mitigated by enabling the root user with a strong password
- Can be detected with
osqueryusingSELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" AND key = "passwd" AND length(value) > 1;"; - You can see what time the root account was enabled using
SELECT * FROM plist WHERE path = "/private/var/db/dslocal/nodes/Default/users/root.plist" WHERE key = "accountPolicyData";then base 64 decoding that into a file and then runningplutil -convert xml1and looking at thepasswordLastSetTimefield. Note: osquery needs to be running withsudobut if you have it deployed across a fleet of macs as a daemon then it will be running withsudoanyway. Note: You can get the same info with plutil(1):$ sudo plutil -p /private/var/db/dslocal/nodes/Default/users/root.plist