Menu

Search for hundreds of thousands of exploits

"Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation"

Author

Exploit author

"Mark Wadham"

Platform

Exploit platform

macos

Release date

Exploit published date

2017-12-06

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
Recently I was working on an security issue in some other software that has yet to be disclosed which created a rather interesting condition. As a non-root user I was able to write to any file on the system that was not SIP-protected but the resulting file would not be root-owned, even if it previously was.

This presented an interesting challenge for privilege escalation - how would you exploit this to obtain root access? The obvious first attempt was the sudoers file but sudo is smart enough not to process it if the file isn't root-owned so that didn't work.

I then discovered (after a tip from a friend - thanks pndc!) that the cron system in macOS does not care who the crontab files are owned by. Getting root was a simple case of creating a crontab file at:

```
/var/at/tabs/root
```

with a 60-second cron line, eg:

```
* * * * * chown root:wheel /tmp/payload && chmod 4755 /tmp/payload
```

and then waiting for it to execute. It's not clear if this is a macOS-specific issue or a hangover from the BSD-inherited cron system, I suspect the latter.

The issue has been reported to Apple so hopefully they will fix it.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-05-12 "MacOS 320.whatis Script - Privilege Escalation" local macos "Csaba Fitzl"
2020-04-16 "VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)" local macos Metasploit
2020-03-20 "VMware Fusion 11.5.2 - Privilege Escalation" local macos "Rich Mirch"
2020-03-17 "VMWare Fusion - Local Privilege Escalation" local macos Grimm
2019-12-18 "macOS 10.14.6 (18G87) - Kernel Use-After-Free due to Race Condition in wait_for_namespace_event()" dos macos "Google Security Research"
2019-11-22 "macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache" local macos "Google Security Research"
2019-11-05 "macOS XNU - Missing Locking in checkdirs_callback() Enables Race with fchdir_common()" dos macos "Google Security Research"
2019-11-04 "Apple macOS 10.15.1 - Denial of Service (PoC)" dos macos 08Tc3wBB
2019-10-09 "XNU - Remote Double-Free via Data Race in IPComp Input Path" dos macos "Google Security Research"
2019-09-19 "macOS 18.7.0 Kernel - Local Privilege Escalation" local macos A2nkF
Release Date Title Type Platform Author
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (1)" local macos "Mark Wadham"
2018-01-29 "Arq 5.10 - Local Privilege Escalation (2)" local macos "Mark Wadham"
2017-12-06 "Sera 1.2 - Local Privilege Escalation / Password Disclosure" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.6 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Arq 5.9.7 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Murus 1.4.11 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation" local macos "Mark Wadham"
2017-07-18 "Hashicorp vagrant-vmware-fusion < 4.0.20 - Local Root Privilege Escalation" local macos "Mark Wadham"
2017-04-11 "Proxifier for Mac 2.17/2.18 - Privesc Escalation" local macos "Mark Wadham" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected