Sunday, 28 January 2007

Apple crashdump Privilege Escalation Vulnerability

Vendor:: Apple
Application:: Mac OS X
Disclosed:: 28-01-07
Description:: Crashreporterd is the daemon responsible for detecting application crashes. Crashreporterd listens for mach exceptions and when it detects a mach exception launches crashdump to investigate the crash and report it to the user. Crashdump is a helper tool used by the crashreporterd daemon to create crash reports and notify the user of application crashes.
crashdump will try to write reports at the user home directory first
(/Users/[user]/Library/Logs/CrashReporter/), and if it's not available (ex. permissions don't allow it), it will try the system-wide log directory instead (ex. /Library/Logs/CrashReporter/).
The problem is that it will follow symlinks, and users in the admin group have write access to the directory. As crashreporterd runs under root privileges, any file can be modified by planting a symlink in the /Library/Logs/CrashReporter/ directory, named like the application that will cause the crash dump. We can influence the output by tampering with the Mach-O format. The provided proof of concept demonstrates this by using crafted library names within the binary that triggers the issue.
Exploitation of this issue allows admin-group users (contrary to MOAB-22-01-2007 which allows any user) to gain root privileges without interaction of any type.
Exploit:: The exploit will use a Mach-o binary with a crontab string injected in it's __LINKEDIT segment, for triggering the issue and demonstrating how we can execute arbitrary code under root privileges via crashdump.
The data we are modifying within the Mach-O binary is the __LINKEDIT segment, described in the Mac OS X ABI Mach-O File Format Reference as follows::
The __LINKEDIT segment contains raw data used by the dynamic linker, such as symbol, string, and relocation table entries.
In the sample binary file (starting at offset 0x320)::
38 00 00 00 5F 5F 4C 49 4E 4B 45 44 49 54 00 00 \00 00 00 00 00 40 00 00 00 10 00 00 00 30 00 00 20 04 00 00 03 00 00 00 01 00 00 00 00 00 00 00 ---> __LINKEDIT04 00 00 00 0E 00 00 00 1C 00 00 00 0C 00 00 00 2F 75 73 72 2F 6C 69 62 2F 64 79 6C 64 00 00 00 /0C 00 00 00 34 00 00 00 18 00 00 00 68 B7 9B 4504 03 58 00 00 00 01 00 0A 0A 2A 20 2A 20 2A 20 \2A 20 2A 20 2F 55 73 65 72 73 2F 53 68 61 72 65 ---> injected crontab 64 2F 72 30 30 74 0A 00 18 00 00 00 00 30 00 00 /
vuln (Modified Mach-o binary)


