CVE-2015-3704 : Détail

CVE-2015-3704

A01-Broken Access Control
0.64%V3
Network
2015-07-02
23h00 +00:00
2017-09-21
07h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

runner in Install.framework in the Install Framework Legacy subsystem in Apple OS X before 10.10.4 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-264 Category : Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 38138

Date de publication : 2015-09-09 22h00 +00:00
Auteur : Google Security Research
EDB Vérifié : Yes

Source: https://code.google.com/p/google-security-research/issues/detail?id=314 The private Install.framework has a few helper executables in /System/Library/PrivateFrameworks/Install.framework/Resources, one of which is suid root: -rwsr-sr-x 1 root wheel 113K Oct 1 2014 runner Taking a look at it we can see that it's vending an objective-c Distributed Object :) [ https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/DistrObjects/DistrObjects.html ] The main function immediately temporarily drops privs doing seteuid(getuid()); setegid(getgid()); then reads line from stdin. It passes this to NSConnection rootProxyForConnectionWithRegisteredName to lookup that name in the DO namespace and create a proxy to connect to it via. It then allocates an IFInstallRunner which in its init method vends itself using a name made up of its pid, time() and random() It then calls the setRunnerConnectionName method on the proxy to tell it the IFInstallRunner's DO name so that whoever ran the runner can connect to the IFInstallRunner. The IFRunnerMessaging protocol tells us the methods and prototypes of the remote methods we can invoke on the IFInstallRunner. Most of the methods begin with a call to processKey which will set the euid back to root if the process can provide a valid admin authorization reference from authd (I'm not totally sure how that bit works yet, but it's not important for the bug.) Otherwise the euid will remain equal to the uid and the methods (like movePath, touchPath etc) will only run with the privs of the user. The methods then mostly end with a call to restoreUIDs which will drop back to euid==uid if we did temporarily regain root privs (with the auth ref.) Not all methods we can invoke are like that though... IFInstallRunner setExternalAuthorizationRef calls seteuid(0);setegid(0); to regain root privs without requiring any auth. It then calls AuthorizationCreateFromExternalForm passing the bytes of an NSData we give it. If that call doesn't return 0 then the error branch calls syslog with the string: "Fatal error: unable to internalize authorization reference." but there's actually nothing fatal, it just returns from the method, whereas the success branch goes on to restore euid and egid, which means that if we can get AuthorizationCreateFromExternalForm to fail then we can get the priv dropping-regaining state machine out-of-sync :) Getting AuthorizationCreateFromExternalForm to fail is trivial, just provide a malformed auth_ref (like "AAAAAAAAAAAAAAAAAAA" ) Now the next method we invoke will run with euid 0 even without having the correct auth ref :) This PoC first calls setBatonPath to point the baton executable path to a localhost bind-shell then triggers the bug and calls runTaskSecurely which will create an NSTask and launch the bind-shell with euid 0 :) We can then just nc to it and get a root shell tl;dr: the error path in setExternalAuthorizationRef should either be fatal or drop privs! Make sure you have the latest xcode installed and run the get_shell.sh script to build and run the PoC. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38138.zip

Products Mentioned

Configuraton 0

Apple>>Mac_os_x >> Version To (including) 10.10.3

Références

https://www.exploit-db.com/exploits/38138/
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/75493
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id/1032760
Tags : vdb-entry, x_refsource_SECTRACK
http://support.apple.com/kb/HT204942
Tags : x_refsource_CONFIRM