-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for CVE-2019-8513 (TimeMachine cmd injection) #11726
Conversation
|
|
||
def initialize(info = {}) | ||
super(update_info(info, | ||
'Name' => 'Mac OS X TimeMachine Command Injection Privilege Escalation', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to think this won't be the last command injection LPE in TimeMachine. Perhaps mention tmdiagnose
in the title, or something else unique and more applicable.
Co-Authored-By: timwr <timwr@users.noreply.github.com>
documentation/modules/exploit/osx/local/timemachine_cmd_injection.md
Outdated
Show resolved
Hide resolved
|
||
#include <sys/mman.h> | ||
|
||
char root_payload[1024] = "ROOT_PAYLOAD_PLACEHOLDER"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach is likely problematic in the unlikely event that the payload is larger than 1024
. If it is in fact problematic, then it may be difficult to debug, as the cause won't be immediately obvious, due to clobbering adjacent binary data.
This also results in the payload being written to disk, rather than writing the exploit to disk and executing the payload in memory.
Potential alternatives:
- adjusting the exploit to accept a command line argument to execute; or
- adjusting the exploit to spawn a
setuid(0,0,0)
shell, if feasible, and piping the payload as input throughSTDIN
; or - lazy option: adding a warning/error to the
exploit
method in the event that the generated payload is larger than1024
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's actually tmdiagnose that calls back and executes our payload (without any arguments) so there is no way to avoid having some kind of payload on disk. (Unless you can think of a way?).
I'll see if I can pipe the python/command payload through stdin and also add a length check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤷 I haven't looked at how the exploit works at all. A closer look reveals the x64 payload obviously can't be piped, unless it's already written to disk, which is less preferable.
Simply adding a length check might be the easiest way.
Co-Authored-By: timwr <timwr@users.noreply.github.com>
Co-Authored-By: timwr <timwr@users.noreply.github.com>
If you can rebase on master, the Travis issues in this PR are resolved upstream. |
Been testing a few versions. 10.11.6 appeared vulnerable but not work:
10.13.3 worked great:
Mojave worked fine too. |
Release NotesA exploit module that targets a command injection vulnerability in TimeMachine on macOS <= 10.14.3 is now available. It will run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 can be exploited by creating a specially crafted disk label. |
10.11.6 is not vulnerable. It only works from Sierra (10.12.x) - Mojave (10.14.3) |
Initial commit of CVE-2019-8513. Ping @ChiChou
Verification
msfconsole