Mac OS X local root (rsh/libmalloc)

[Philip Pettersson <philip.pettersson () gmail com>]

Hi, this is a notice about CVE-2015-5889 which was fixed today in
APPLE-SA-2015-09-30-3.

I reported this issue to Apple in July 2015.

The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in
an insecure manner.

Most system libraries on OSX use issetugid(2) when initializing to
determine if certain environment variables are safe to use. When
executing a setuid binary as an unprivileged user, variables such as
DYLD_* will be cleared since issetugid() returns 1.

However, if a setuid-binary launches another process without dropping
privileges, issetugid() calls within that process will return 0 even
though the process context might still be tainted by unsafe
environment variables.

Libdyld will correctly remove any unsafe variables completely from the
environment to prevent them from being passed on to child processes. A
different library which uses potentially unsafe environment variables
is libmalloc, and it will not permanently clear the environment in the
same way.

/usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host
argument, without dropping privileges or clearing the environment:

/* if no further arguments, must have been called as rlogin. */
[...]
execv(_PATH_RLOGIN, argv);

My exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then
passed on to rlogin and interpreted by libmalloc to create a
root-owned file with partially controlled contents at /etc/crontab
which gives a rootshell via sudo.

Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.
KASLR and other scary acronyms won't protect against 90's style bugs :).

Philip Pettersson

Attachment: osx-rsh.py
Description:

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/