UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run anyFurther information:InputManagerprovided by the user. Code within the input manager will run under wheel privileges. In combination withdiskutiland a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
Update: updated exploit (now fat binaries are used, thus exploit should work on a system without XCode and related developer tools; source code is provided to avoid the usual FUD about alleged 'root kits' and non-sense), release information, etc. KF worked hard on getting stuff up due to connectivity issues. He deserves a thumbs-up from everyone.
2 comments:
Here is a temporary mirror of todays post: http://www.digitalmunition.com/MOAB-22-01-2007.html
The InputManagers issue is something that has been discussed ad nauseam since Oompa while the fanboys have been trotting along without a clue:
Input Managers - The Cure
Resetting the Immutables
Unfortunately, the advice given can only serve as speed bumps as these can be defeated. /Library as a whole is a security nightmare.
At the home user level, locking down ~/Library/InputManagers might require more looking into.
Post a Comment