module
macOS cfprefsd Arbitrary File Write Local Privilege Escalation
| Disclosed | Created |
|---|---|
| Mar 18, 2020 | Sep 5, 2020 |
Disclosed
Mar 18, 2020
Created
Sep 5, 2020
Description
This module exploits an arbitrary file write in cfprefsd on macOS order to run a payload as root. The CFPreferencesSetAppValue function, which is
reachable from most unsandboxed processes, can be exploited with a race condition
in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login
a user can then login as root with the `login root` command without a password.
reachable from most unsandboxed processes, can be exploited with a race condition
in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login
a user can then login as root with the `login root` command without a password.
Authors
Yonghwi Jin jinmoteam@gmail.com
Jungwon Lim setuid0@protonmail.com
Insu Yun insu@gatech.edu
Taesoo Kim taesoo@gatech.edu
timwr
Jungwon Lim setuid0@protonmail.com
Insu Yun insu@gatech.edu
Taesoo Kim taesoo@gatech.edu
timwr
Platform
OSX
Architectures
x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.