Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid).Further information:
- MOAB-15-01-2007
- Exploit: MOAB-15-01-2007.rb
2 comments:
users in the admin group are sudoers. Wouldn't a `sudo su´ be sufficient to gain root?
That asks for password. The whole point about privilege escalation vulnerabilities is actually not requiring any type of authentication / credentials in order to gain privileges.
This can be coupled with a remote exploit in for example, the Quicktime issue.
Malware infecting an user in the admin group can make use of it for escalating privileges too.
Post a Comment