Security fix for InsomniaX 2.1.8

14 Oct 2017 12:44 | security | macOS

InsomniaX by Andrew James - http://semaja2.net - is really handy if you want to
leave your macbook running with the lid closed.

Unfortunately back in June of this year a security vulnerability in the loader
binary was disclosed that allows the loading of any arbitrary kernel extension
as a non-root user.

I am today releasing a patch for this exploit that replaces the vulnerable
loader binary with a new one that loads and unloads the kernel extension
securely.

https://m4.rkw.io/insomnia_218_patch.sh.txt
c51110c284a32730d34ffc355c75329b6851a62010463049d2505f1530605e79
----------------------------------------------------------------------------
#!/bin/bash
echo
echo "####################################################"
echo "###### Insomnia v2.1.8 loader security patch  ######"
echo "###### by m4rkw - https://m4.rkw.io/blog.html ######";
echo "####################################################"
echo

function usage()
{
  echo "Usage: $0 [--install]"
  exit
}

function install()
{
  if [ "`whoami`" != "root" ] ; then
    echo "This script requires root privileges."
    exit 1
  fi
  if [ -e /Applications/InsomniaX.app/Contents/Resources/loader_patch_backup ] ; then
    echo "This patch already seems to be installed."
    exit 1
  fi
  mv /Applications/InsomniaX.app/Contents/Resources/loader /Applications/InsomniaX.app/Contents/Resources/loader_patch_backup
  chmod -s /Applications/InsomniaX.app/Contents/Resources/loader_patch_backup
  chown -R root:wheel /Applications/InsomniaX.app
  cat > /tmp/loader.c <<EOF
#include <unistd.h>

void load_kext()
{
  execl("/sbin/kextload", "kextload", "/Applications/InsomniaX.app/Contents/Resources/Insomnia_r11.kext", NULL);
}

void unload_kext()
{
  execl("/sbin/kextunload", "kextunload", "/Applications/InsomniaX.app/Contents/Resources/Insomnia_r11.kext", NULL);
}

int main(int ac, char *av[])
{
  char c;
  int i;

  for (i=0; i<33; i++) {
    read(STDIN_FILENO, (char *)&c, 1);
  }

  if (c == 1) {
    load_kext();
  } else if (c == 2) {
    unload_kext();
  }

  return 0;
}
EOF
  gcc -o /Applications/InsomniaX.app/Contents/Resources/loader /tmp/loader.c
  rm -f /tmp/loader.c
  chmod 4755 /Applications/InsomniaX.app/Contents/Resources/loader

  echo "Patch installed. The vulnerable loader binary has been replaced and is no longer exploitable."
  echo
}

if [ "$1" == "--install" ] ; then
  install
else
  usage
fi