Escalation hijacking on macs

29 Nov 2017 21:04 | macOS | security

With all the hype today about the blank-password root bug in High Sierra I thought I’d write a quick post about escalation hihacking on macOS and how common it is for software to be vulnerable to this.

Consider the case of malware gaining execution on a mac. This is pretty bad to begin with but it’s all the more worse if the malware obtains root access. Even with apple’s “rootless” feature it still provides a potential path to rootkitting the machine, loading kexts etc.

I’ve found a slew of privilege escalation issues in various Mac applications this year but as well as these more direct exploits I’ve also noticed that a lot of mac software that requires elevated privileges requested with an authentication prompt does so in a way that can be easily and silently hijacked by a third party process.

The two most common insecure ways of doing this that I’ve seen are:

1) sudo

2) applescript via osascript, eg “execute blah with administrator privileges”

In both cases these actions pause waiting for user authentication and are clearly visible in the process list. Since we can see the exact shell commands that are going to be executed with sudo or osascript and that the user will take at least a couple of seconds to enter their password, we have the perfect opportunity to steal the escalation.

Consider this sudo command in the process list:

sudo chown root:wheel /tmp/some/file && sudo chmod 4755 /tmp/some/file

If we know that this will occasionally occur given that application X is installed we can lie in wait until it happens and then switch /tmp/some/file out for some other arbitrary payload. Once it’s been made root-owned and +s we can then use it to escalate, swap the original file back in place and set the required permissions on that so the user will have no idea that anything happened.

To make this even easier we can even send a STOP signal to the parent process to effectively pause it until our meddling is complete and then send a CONT signal to resume it.

An example of an exploit using this technique is my code for the 5.0.0 release of the Hashicorp vagrant-vmware-fusion plugin:

https://m4.rkw.io/blog/cve201715884-local-root-privesc-in-hashicorp-vagrantvmwarefusion-500.html

However this vulnerability is present in loads of Mac software. Eventually smart malware authors will realise this and start rolling such exploits into their malware so that they can escalate opportunistically.