macOS cfprefsd Arbitrary File Write Local Privilege Escalation

2020-08-18T07:56:01
ID MSF:EXPLOIT/OSX/LOCAL/CFPREFSD_RACE_CONDITION
Type metasploit
Reporter Rapid7
Modified 2020-10-02T20:00:37

Description

This module exploits an arbitrary file write in cfprefsd on macOS <= 10.15.4 in order to run a payload as root. The CFPreferencesSetAppValue function, which is reachable from most unsandboxed processes, can be exploited with a race condition in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login a user can then login as root with the login root command without a password.