Monday, January 22, 2007

MOAB-22-01-2007: Apple UserNotificationCenter Privilege Escalation Vulnerability

UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run any InputManager provided by the user. Code within the input manager will run under wheel privileges. In combination with diskutil and a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
Further information:
Update: updated exploit (now fat binaries are used, thus exploit should work on a system without XCode and related developer tools; source code is provided to avoid the usual FUD about alleged 'root kits' and non-sense), release information, etc. KF worked hard on getting stuff up due to connectivity issues. He deserves a thumbs-up from everyone.


KF said...

Here is a temporary mirror of todays post:

J.P. said...

The InputManagers issue is something that has been discussed ad nauseam since Oompa while the fanboys have been trotting along without a clue:

Input Managers - The Cure
Resetting the Immutables

Unfortunately, the advice given can only serve as speed bumps as these can be defeated. /Library as a whole is a security nightmare.

At the home user level, locking down ~/Library/InputManagers might require more looking into.