CVE-2015-5784 : Détail

CVE-2015-5784

A01-Broken Access Control
27.89%V4
Network
2015-08-16
21h00 +00:00
2017-09-20
07h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-264 Category : Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 38137

Date de publication : 2015-09-09 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=477 Install.framework has a suid root binary here: /System/Library/PrivateFrameworks/Install.framework/Resources/runner This binary vends the IFInstallRunner Distributed Object, which has the following method: [IFInstallRunner makeReceiptDirAt:asRoot:] If you pass 1 for asRoot, then this code will treat the makeReceiptDirAt string as a path and make two directories (Library/Receipts) below it. At first glance this code looks immediately racy and no doubt we could play some symlink tricks to get arbitrary directories created, but, on second glance, we can do a lot more! This code is using distributed objects which is a "transparent" IPC mechanism: what this means in practise is that not only can I call methods on the IFInstallRunner object running in the suid root process, but I can also pass it objects from my process; when the suid root process then tries to call methods on those object this will actually result in callbacks into my process :) In this case rather than just passing an NSString as the makeReceiptDirAt parameter I create and pass an instance of my own class "InitialPathObject" which behaves a bit like a string but gives me complete control over its behaviour from my process. By creating a couple of this custom classes and implementing various methods we can reach calls to mkdir, chown and unlink with euid == 0. We can completely control the string passed to mkdir and unlink. In the chown case the code will chown our controlled path to root:admin; regular os x users are members of the admin group which means that this will give the user access to files which previously belonged to a different group. To hit the three actions (mkdir, chown and unlink) with controlled arguments we need to override various combinations of selectors and fail at the right points: InitialPathObject = the object we pass to the makeReceiptDirAt selector overrides: - stringByAppendingPathComponent * will be called twice: * first time: return an NSString* pointing to a non-existant file * second time: return SecondFakeStringObject SecondFakeStringObject = returned by the second call to stringByAppendingPathComponent overrides: - length * will be called by the NSFileManager? * return length of path to non-existant file - getCharacters: * will be called by the NSFileManager? * return character of the non-existant file path - fileSystemRepresentation * for MKDIR: * first time: return char* of the target path * second time: return char* to non-existant file * third time: return char* to non-existant file * for CHOWN: * first time: return char* of temporary directory to create and ignore * second time: return char* of target path * for UNLINK: * first time: return char* of temporary directory to create and ignore * second time: return char* to non-existant file * third time: return char* to path to unlink - stringByAppendingPathComponent: * for MKDIR: * not called * for CHOWN: * return NSString* pointing to file which does exist // to bail out before creating /Receipts * for UNLINK * not called build: clang -o as_root_okay_then_poc as_root_okay_then_poc.m -framework Foundation run: ./as_root_okay_then_poc MKDIR|CHOWN|UNLINK <target> note that this will create some root-owned temporary directories in /tmp which will need to be manually cleaned up Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38137.zip

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version To (including) 10.10.4

Références

http://www.securityfocus.com/bid/76340
Tags : vdb-entry, x_refsource_BID
https://support.apple.com/kb/HT205031
Tags : x_refsource_CONFIRM
https://www.exploit-db.com/exploits/38137/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id/1033276
Tags : vdb-entry, x_refsource_SECTRACK