Hi, this is a notice about CVE-2015-5889 which was fixed today in APPLE-SA-2015-09-30-3. I reported this issue to Apple in July 2015. The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. Most system libraries on OSX use issetugid(2) when initializing to determine if certain environment variables are safe to use. When executing a setuid binary as an unprivileged user, variables such as DYLD_* will be cleared since issetugid() returns 1. However, if a setuid-binary launches another process without dropping privileges, issetugid() calls within that process will return 0 even though the process context might still be tainted by unsafe environment variables. Libdyld will correctly remove any unsafe variables completely from the environment to prevent them from being passed on to child processes. A different library which uses potentially unsafe environment variables is libmalloc, and it will not permanently clear the environment in the same way. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment: /* if no further arguments, must have been called as rlogin. */ [...] execv(_PATH_RLOGIN, argv); My exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too. KASLR and other scary acronyms won't protect against 90's style bugs :). Philip Pettersson
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment