Dropbox FinderLoadBundle OS X Local Root Exploit
Posted by deepcore on October 2, 2015 – 12:33 am
The setuid root FinderLoadBundle that was included in older DropboxHelperTools versions for OS X allows loading of dynamically linked shared libraries that are residing in the same directory. The directory in which FinderLoadBundle is located is owned by root and that prevents placing arbitrary files there. But creating a hard link from FinderLoadBundle to somewhere in a directory in /tmp circumvents that protection thus making it possible to load a shared library containing a payload which creates a root shell.
Post a reply
You must be logged in to post a comment.