Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Learning Curve » Hotspots

SLIPOC – Root Exploit of Mac OS X

The system login items proof of concept. It can't get more obvious than this.


Get It

Try It

For those who didn't get it - or didn't want to bother: there's now a complete POC kit available for the root escalation exploit for the 'system login items' design flaw in Apple's OS X.

This flaw affects both 10.4 Tiger, 10.5 Leopard, 10.6 Snow Leopard - and is said to also work on 10.3 Panther. It's been around a while - at least since April 2005 and if Panther is also affected since October 2003. At least three and possibly as much as five years - or more. To quote MacShadows: 'the better half of a decade'.

The people at MacShadows have attempted to highlight this design flaw for some time - but to no avail.

Click here or on the window below to start the download.

The Flaw

The flaw manifests itself when it's seen processes running on an admin account can in fact perform tasks as root without being required to authenticate, thereby completely circumventing the system security model.

The 'SLIPOC' proof of concept is not a hack - it does not corrupt running code, take advantage of buffer overflows, anything of the sort. It simply exploits a design flaw in Apple's OS X - a 'chink in the armour'.

SLIPOC - exploiting a design flaw in Apple
 Click here or anywhere on the above image to start the download of the 'SLIPOC' proof of concept exploit (~225 KB).

The Proof of Concept

The 'SLIPOC' proof of concept could do all sorts of nasty things - but settles for simply proving escalation to root can be achieved without authentication.

Files from protected areas of the system not normally accessible are copied to a neutral location, their ownership changed from root, and their permissions changed so they can be read by all.

Three Apps in One

The 'SLIPOC' package contains the complete source code to all three applications involved in this exploit. As the user you need only launch the one - SLIDemo.app pictured above.

All three applications can be built from the source code provided.

  • SLIDemo.app. Pictured above. Click 'Install SLIHack' to prepare the exploit.
  • SLIHack.app. Installed by SLIDemo.app. Runs immediately before your next login.
  • Greetings.app. Also installed by SLIDemo.app. Reminds you after your login that you have a few things to check.

In addition SLIDemo.app will create the file com.apple.systemloginitems.plist in the directory /Library/Preferences and modify your local login items list to include Greetings.app.

Nothing at all happens if you close SLIDemo.app without opting to install.

Cleanup

After logging back in you can see the results of the exploit at the path /Users/Shared. The applications Greetings.app and SLIHack.app will be there as before but you'll also find the 'hidden' directory .SLIHack. In this directory you'll find proof of the concept: files from protected areas of your system that are only accessible by root.

At no time will the exploit prompt you for a password - that's the whole point. Escalation to root is possible without authentication.

When you've seen what you came to see in /Users/Shared simply remove the directories .SLIHack, Greetings.app, and SLIHack.app. Then edit the file com.apple.systemloginitems.plist to remove the reference to SLIHack.app and modify your login items in System Preferences to remove the reference to Greetings.app.

No Fix

There is likely no fix for this design flaw at the moment. The reason is it's not a programming error but a design flaw. Processes run as root (or even root in single user mode) can be controlled from processes running on an admin account.

Attempting to lock /Library/Preferences down may also fail as applications using this directory may break in such case.

The only real and satisfactory solution is to move preferences pertaining to root processes to a protected area such as /System/Library/Preferences.

Tracker Report

SLIPOC was tested on 10.5.4 Leopard with Tracker logging all changes in the file system from root on down. A partial listing is given below.

 Start: Thu Jul 17 02:37:59 2008
  Stop: Thu Jul 17 02:39:15 2008
Target: ~/Downloads/SLIPOC/SLIDemo.app
 Paths: /

Changed
-------
/Library/Preferences/com.apple.systemloginitems.plist
/Users/Shared/Greetings.app
/Users/Shared/Greetings.app/Contents
/Users/Shared/Greetings.app/Contents/Info.plist
/Users/Shared/Greetings.app/Contents/MacOS
/Users/Shared/Greetings.app/Contents/MacOS/Greetings
/Users/Shared/Greetings.app/Contents/Resources
/Users/Shared/Greetings.app/Contents/Resources/Greetings.icns
/Users/Shared/Greetings.app/Contents/Resources/Greetings.nib
/Users/Shared/Greetings.app/Contents/Resources/Greetings.nib/objects.nib
/Users/Shared/SLIHack.app
/Users/Shared/SLIHack.app/Contents
/Users/Shared/SLIHack.app/Contents/Info.plist
/Users/Shared/SLIHack.app/Contents/MacOS
/Users/Shared/SLIHack.app/Contents/MacOS/SLIHack
/Users/Shared/SLIHack.app/Contents/Resources
/Users/Shared/SLIHack.app/Contents/Resources/SLIHack.nib
/Users/Shared/SLIHack.app/Contents/Resources/SLIHack.nib/objects.nib

Modified
--------
/dev/null
/Library/Caches
/Library/Preferences
/Library/Preferences/.GlobalPreferences.plist
/Library/Preferences/com.apple.BezelServices.plist
/Library/Preferences/com.apple.loginwindow.plist
/private/var/log/secure.log
/private/var/log/system.log
/private/var/log/windowserver.log
/private/var/run/utmpx
/Users/Shared
/Users/Shared/.SLIHack
/Users/Shared/.SLIHack/root
/Users/Shared/.SLIHack/root/.CFUserTextEncoding
/Users/Shared/.SLIHack/root/.forward
/Users/Shared/.SLIHack/root/Library
/Users/Shared/.SLIHack/root/Library/Autosave Information
/Users/Shared/.SLIHack/root/Library/Caches
/Users/Shared/.SLIHack/root/Library/Caches/com.apple.preferencepanes.cache
/Users/Shared/.SLIHack/root/Library/Caches/com.apple.preferencepanes.searchindexcache
/Users/Shared/.SLIHack/root/Library/Caches/com.apple.SetupAssistant
/Users/Shared/.SLIHack/root/Library/Caches/com.apple.SetupAssistant/Cache.db
/Users/Shared/.SLIHack/root/Library/Cookies
/Users/Shared/.SLIHack/root/Library/Cookies/Cookies.plist
/Users/Shared/.SLIHack/root/Library/Preferences
/Users/Shared/.SLIHack/root/Library/Preferences/.GlobalPreferences.plist
/Users/Shared/.SLIHack/root/Library/Preferences/ByHost
/Users/Shared/.SLIHack/root/Library/Preferences/ByHost/com.apple.Bluetooth.UnknownHostID.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.HIToolbox.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.print.PrintingPrefs.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.quicktime.plugin.preferences.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.recentitems.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.SetupAssistant.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.stackshot.plist
/Users/Shared/.SLIHack/root/Library/Preferences/com.apple.systempreferences.plist
/Users/Shared/.SLIHack/root/Library/Preferences/QuickTime Preferences
/Users/Shared/.SLIHack/shadow

Credit and kudos as always to siph0n and all the rest at MacShadows for staying on this one.

See Also
Learning Curve: Rooting 10.5.4
Industry Watch: Get Root on 10.5.4
Industry Watch: ARDAgent - Here to Stay?
Learning Curve: ARDAgent on Snow Leopard
The Technological: Walking into an Apple Store

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.