MOAB-15-01-2007: Multiple Mac OS X Local Privilege Escalation Vulnerabilities

Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation. A malicious user can overwrite the binaries and perform a disk permissions repair operation via the diskutil tool, effectively setting back the default ownership and permissions (root setuid).

Further information:

• MOAB-15-01-2007
• Exploit: MOAB-15-01-2007.rb

Thanks to Ian Silvester for donating to the project!

MOAB-05-01-2007: Apple DiskManagement BOM Local Privilege Escalation Vulnerability

A vulnerability in the handling of BOM files allows to set rogue permissions on the filesystem via the 'diskutil' tool. This can be used to execute arbitrary code and escalate privileges. A malicious user could create a BOM declaring new permissions for specific filesystem locations (ex. binaries, cron and log directories, etc). Once 'diskutil' runs a permission repair operation the rogue permissions would be set, allowing to plant a backdoor, overwrite resources or simply gain root privileges.

For further information:

• Apple DiskManagement BOM Local Privilege Escalation Vulnerability
• Exploits: MOAB-05-01-2007.rb and MOAB-05-01-2007_cron.rb (uses crontab, recommended).