Monorail Project: project-zero Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 478
Starred by 2 users
Status: Fixed
Owner:
ianbeer@google.com
Closed: Aug 2015
Cc:
project-...@google.com



Sign in to add a comment
 OS X Install.framework suid root runner binary priv-esc due to not accounting for implicitly parallel nature of Distributed Objects
Project Member Reported by ianbeer@google.com, Jul 7 2015 Back to list 
The Install.framework runner suid root binary does not correctly account for the fact that Distributed Objects
  can be connected to by multiple clients at the same time.

  By connecting two proxy objects to an IFInstallRunner and calling [IFInstallRunner makeReceiptDirAt:asRoot:]
  in the first and passing a custom object as the directory name we can get a callback to our code just after the
  makeReceiptDirAt code has called seteuid(0);setguid(0) to regain privs. Since BSD priviledges are per-process
  this means that our other proxy object will now have euid 0 without having to provide an authorization reference.

  In this second proxy we can then just call runTaskSecurely and get a root shell before returning from the first proxy's callback function
  which will then drop privs.

  build using the provided makefile and run passing the full path to the localhost shell
install_runner_race.zip
3.3 KB Download
Project Member Comment 1 by ianbeer@google.com, Jul 7 2015
Labels: Reported-2015-Jul-7 Id-625163910
Project Member Comment 2 by ianbeer@google.com, Jul 7 2015 
(typo: the code calls seteuid(0);setegid(0); to regain the temporarily dropped privs)
Project Member Comment 3 by ianbeer@google.com, Aug 13 2015
Labels: CVE-2015-5754 Fixed-2015-Aug-13
Owner: ianbeer@google.com
Apple advisory: https://support.apple.com/en-us/HT205031
Project Member Comment 4 by ianbeer@google.com, Aug 13 2015
Status: Fixed
Project Member Comment 5 by ianbeer@google.com, Sep 10 2015
Labels: -Restrict-View-Commit
Sign in to add a comment