Escalation hijacking on macs

29 Nov 2017 21:04 | macOS | security

With all the hype today about the blank-password root bug in High Sierra I
thought I'd write a quick post about escalation hihacking on macOS and how
common it is for software to be vulnerable to this.

Consider the case of malware gaining execution on a mac. This is pretty bad to
begin with but it's all the more worse if the malware obtains root access. Even
with apple's "rootless" feature it still provides a potential path to
rootkitting the machine, loading kexts etc.

I've found a slew of privilege escalation issues in various Mac applications
this year but as well as these more direct exploits I've also noticed that a lot
of mac software that requires elevated privileges requested with an
authentication prompt does so in a way that can be easily and silently hijacked
by a third party process.

The two most common insecure ways of doing this that I've seen are:

1) sudo

2) applescript via osascript, eg "execute blah with administrator privileges"

In both cases these actions pause waiting for user authentication and are
clearly visible in the process list. Since we can see the exact shell commands
that are going to be executed with sudo or osascript and that the user will take
at least a couple of seconds to enter their password, we have the perfect
opportunity to steal the escalation.

Consider this sudo command in the process list:

sudo chown root:wheel /tmp/some/file && sudo chmod 4755 /tmp/some/file

If we know that this will occasionally occur given that application X is
installed we can lie in wait until it happens and then switch /tmp/some/file out
for some other arbitrary payload. Once it's been made root-owned and +s we can
then use it to escalate, swap the original file back in place and set the
required permissions on that so the user will have no idea that anything
happened.

To make this even easier we can even send a STOP signal to the parent process to
effectively pause it until our meddling is complete and then send a CONT signal
to resume it.

An example of an exploit using this technique is my code for the 5.0.0 release
of the Hashicorp vagrant-vmware-fusion plugin:

https://m4.rkw.io/blog/cve201715884-local-root-privesc-in-hashicorp-vagrantvmwarefusion-500.html

However this vulnerability is present in loads of Mac software. Eventually smart
malware authors will realise this and start rolling such exploits into their
malware so that they can escalate opportunistically.