issetugid() + rsh + libmalloc OS X Local Root

Posted by deepcore on October 3, 2015 – 8:25 am

The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass “MallocLogFile” to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« ElasticSearch Path Traversal Arbitrary File Download FTGate 2009 SR3 Cross Site Scripting »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

issetugid() + rsh + libmalloc OS X Local Root

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL