Vulners
Lucene search
Mach Race OSX - Privilege Escalation
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Apple Mac OSX / iOS - SUID Binary Logic Error Kernel Code Execution | 23 Mar 201600:00 | – | zdt |
| MacOS 10.12 - 'task_t' Privilege Escalation Exploit | 1 Nov 201600:00 | – | zdt |
 | Mac OS X < 10.11.4 Multiple Vulnerabilities | 2 Sep 201600:00 | – | nessus |
| Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities | 27 May 201600:00 | – | nessus |
| Apple iOS < 9.3 Multiple Vulnerabilities | 26 May 201600:00 | – | nessus |
| Apple iOS < 9.3 Multiple Vulnerabilities | 23 Mar 201600:00 | – | nessus |
| Mac OS X 10.11.x < 10.11.4 Multiple Vulnerabilities | 22 Mar 201600:00 | – | nessus |
 | Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Apple Mac_Os_X | 6 Sep 202500:30 | – | gitee |
 | About the security content of iOS 9.3 | 21 Mar 201600:00 | – | apple |
| About the security content of OS X El Capitan v10.11.4 and Security Update 2016-002 | 21 Mar 201600:00 | – | apple |
10
Source: https://github.com/gdbinit/mach_race
Mach Race OS X Local Privilege Escalation Exploit
(c) fG! 2015, 2016, [email protected] - https://reverse.put.as
A SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757).
Usage against a SUID binary:
./mach_race_server /bin/ps _compat_mode
for i in seq 0 1000000; do ./mach_race_client /bin/ps; done
Against an entitled binary to bypass SIP:
./mach_race_server /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove _geteuid
for i in seq 0 1000000; do ./mach_race_client /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove; done
Note: because the service name is not modified you can't chain this exploit from user to root and then use it to bypass SIP since bootstrap_register2 will fail the second time (service is already registered with launchd from the first run). The solution is to add a parameter to use a different service name for example.
Note2: there's no need to make this into two separate apps, a single binary works, you just need to fork a server and client.
References:
https://reverse.put.as/wp-content/uploads/2016/04/SyScan360_SG_2016_-_Memory_Corruption_is_for_wussies.pdf
http://googleprojectzero.blogspot.pt/2016/03/race-you-to-kernel.html
Tested against Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3.
Fixed in El Capitan 10.11.4.
Should work with all OS X versions (depends if bootstrap_register2 exists on older versions).
Alternative implementation with bootstrap_create_server possible for older versions.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39741.zip
# 0day.today [2018-02-18] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2016 00:00Current
EPSS0.51069