Full Disclosure mailing list archives
Re: OS X Local Root Exploit for Viscosity OpenVPN Client
From: "Jason A. Donenfeld" <Jason () zx2c4 com>
Date: Mon, 13 Aug 2012 17:55:31 +0200
On Mon, Aug 13, 2012 at 5:41 PM, Richard Miles <richard.k.miles () googlemail com> wrote:
- Calls a file with a suid file without full path?
No.
- Allows to create a symbolic link inside /Applications/Viscosity.app/Contents/Resources/ with the name of ViscosityHelper?
No.
BTW, this file /Applications/Viscosity.app/Contents/Resources/ViscosityHelper doesn't exist by default?
Yes, it does exist. When you run Viscosity for the first time, it makes that file SUID.
Also, are the permission at the folder /Applications/Viscosity.app/Contents/Resources/ week enough to allows anyone to write on it?
I don't know. It doesn't matter for this exploit.
Sorry for dumb question, but what is the real issue here?
The SUID binary will execute python code from the directory of the executable, linked, symlinked, or otherwise. Take a look at the exploit. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OS X Local Root Exploit for Viscosity OpenVPN Client Jason A. Donenfeld (Aug 12)
- Message not available
- Re: OS X Local Root Exploit for Viscosity OpenVPN Client Jason A. Donenfeld (Aug 13)
- Message not available
- Re: OS X Local Root Exploit for Viscosity OpenVPN Client Jason A. Donenfeld (Aug 13)
- Re: OS X Local Root Exploit for Viscosity OpenVPN Client Jason A. Donenfeld (Aug 13)
- Message not available