4

I've read the disclosure post by Emil Kvarnhammar of TrueSec (Hidden backdoor API to root privileges in Apple OS X) and I'm trying to confirm whether I'm vulnerable or not.

After creating an exploit.py script with the contents of Emil's exploit POC, I run:

$ python exploit.py /bin/bash root-bash
will write file /Users/dserodio/root-bash
Done!

Then I can see that a suid root executable was indeed created:

$ ls -l root-bash
-rwsrwxrwx  1 root  Domain Users  1228336 Apr 14 10:51 root-bash

But when I launch this, it doesn't seem to be a root shell:

$ exec ./root-bash
$ whoami
dserodio
$ touch foo
$ ls -l foo
-rw-r--r--  1 dserodi  Domain Users  0 Apr 14 11:01 foo

If I use a shell script that runs id, creates files, etc. instead of using /bin/bash to create an interactive shell, the results are the same (ie.: created as suid root but apparently without root privileges).

Can someone help me understand what's happening, and if I'm vulnerable to the "rootpipe" bug (CVE-2015-1130)?

Daniel Serodio
  • 767
  • 2
  • 7
  • 14

2 Answers2

2

Your system is vulnerable since the binary is written. The reason you can't simply copy bash is because the written binary will be started with "real" user id dserodio and "effective" user id root. To switch to real user id root, the binary needs to call setuid(0). I've given a sample C code wrapper for this in the comments of my article you linked.

Another option is to copy /usr/bin/python2.7 to /tmp/py, and start /tmp/py. From there you can do 'import os' and experiment interactively with the python methods os.geteuid(), os.getuid() and os.setuid(0). After os.setuid(0) you can launch a root bash with os.system("/bin/bash").

Emil Kvarnhammar
  • 36
  • 1
0

One option for testing this might be to use the metasploit module for rootpipe exploitation

One of the advantages of Metasploit modules is they tend to be reasonably well documented and work reliably, so worth a try.

Rory McCune
  • 62,266
  • 14
  • 146
  • 222