exploit-db-mirror/exploits/osx/local/38137.txt

Source: https://code.google.com/p/google-security-research/issues/detail?id=477

Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner
  This binary vends the IFInstallRunner Distributed Object, which has the following method:

  [IFInstallRunner makeReceiptDirAt:asRoot:]

  If you pass 1 for asRoot, then this code will treat the makeReceiptDirAt string as a path and make two directories
  (Library/Receipts) below it. At first glance this code looks immediately racy and no doubt we could play some
  symlink tricks to get arbitrary directories created, but, on second glance, we can do a lot more!

  This code is using distributed objects which is a "transparent" IPC mechanism: what this means in practise is that
  not only can I call methods on the IFInstallRunner object running in the suid root process, but I can also pass it objects
  from my process; when the suid root process then tries to call methods on those object this will actually result in callbacks
  into my process :)

  In this case rather than just passing an NSString as the makeReceiptDirAt parameter I create and pass an instance of my own class
  "InitialPathObject" which behaves a bit like a string but gives me complete control over its behaviour from my process.

  By creating a couple of this custom classes and implementing various methods we can reach calls to mkdir, chown and unlink with euid == 0.
  We can completely control the string passed to mkdir and unlink.
  In the chown case the code will chown our controlled path to root:admin; regular os x users are members of the admin group which means that this
  will give the user access to files which previously belonged to a different group.

  To hit the three actions (mkdir, chown and unlink) with controlled arguments we need to override various
  combinations of selectors and fail at the right points:

  InitialPathObject = the object we pass to the makeReceiptDirAt selector
    overrides: - stringByAppendingPathComponent
                 * will be called twice:
                    * first time:  return an NSString* pointing to a non-existant file
                    * second time: return SecondFakeStringObject

  SecondFakeStringObject = returned by the second call to stringByAppendingPathComponent
    overrides: - length
                 * will be called by the NSFileManager?
                 * return length of path to non-existant file
               - getCharacters:
                 * will be called by the NSFileManager?
                 * return character of the non-existant file path
               - fileSystemRepresentation
                 * for MKDIR:
                   * first time: return char* of the target path
                   * second time: return char* to non-existant file
                   * third time: return char* to non-existant file
                 * for CHOWN:
                   * first time: return char* of temporary directory to create and ignore
                   * second time: return char* of target path
                 * for UNLINK:
                   * first time: return char* of temporary directory to create and ignore
                   * second time: return char* to non-existant file
                   * third time: return char* to path to unlink
               - stringByAppendingPathComponent:
                 * for MKDIR:
                   * not called
                 * for CHOWN:
                   * return NSString* pointing to file which does exist // to bail out before creating /Receipts
                 * for UNLINK
                   * not called

  build: clang -o as_root_okay_then_poc as_root_okay_then_poc.m -framework Foundation
  run: ./as_root_okay_then_poc MKDIR|CHOWN|UNLINK <target>

  note that this will create some root-owned temporary directories in /tmp which will need to be manually cleaned up

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38137.zip