Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add exploit for CVE-2019-8513 (TimeMachine cmd injection) #11726
Add exploit for CVE-2019-8513 (TimeMachine cmd injection) #11726
Changes from 9 commits
a7bd52c
c428684
0472f96
7a431b0
c2c6c56
fbbcc2b
1a2a85b
f1f64cf
421e250
246fb6f
f3f044e
d20801c
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This approach is likely problematic in the unlikely event that the payload is larger than
1024
. If it is in fact problematic, then it may be difficult to debug, as the cause won't be immediately obvious, due to clobbering adjacent binary data.This also results in the payload being written to disk, rather than writing the exploit to disk and executing the payload in memory.
Potential alternatives:
setuid(0,0,0)
shell, if feasible, and piping the payload as input throughSTDIN
; orexploit
method in the event that the generated payload is larger than1024
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's actually tmdiagnose that calls back and executes our payload (without any arguments) so there is no way to avoid having some kind of payload on disk. (Unless you can think of a way?).
I'll see if I can pipe the python/command payload through stdin and also add a length check.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤷 I haven't looked at how the exploit works at all. A closer look reveals the x64 payload obviously can't be piped, unless it's already written to disk, which is less preferable.
Simply adding a length check might be the easiest way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to think this won't be the last command injection LPE in TimeMachine. Perhaps mention
tmdiagnose
in the title, or something else unique and more applicable.