A Weird Privilege Escalation Vulnerability exploited in Mac OS (CVE-2015–5889).

  • While i was reading a write-up about a recent Windows vulnerability named PrintNightmare (CVE -2021–1675) that allows remote code execution In Windows Spooler Service, i though of doing some research about Mac OS and what can we get as similar to “PrintNightmare” , So i started Googling about the common security issues Mac OS system has dealt with so far , and it turns out that most of the vulnerabilities were a “Memory corruption” ones , that means only one thing , Malloc() .

1 - What is Malloc() ?

Malloc() -short term of memory allocation - is a function that is used to dynamically allocate a single large block of memory with a specific size and returns a pointer of type void which can be cast into a pointer of any form.Well , what does that have to do with “rooting our Mac “ ? We already know that :

  • The default root-suid(superuser id) binary is located at /usr/bin/rsh , the thing is that its usage of execv() (function to execute a file by its name as a new process image) is insecure where it doesn’t verify if a previous similar ID exists,hence it makes it easier to manipulate the rlogin() (remote login) since it’s invoked only with a host argument So this is how it happens :

2 - rsh/libmslloc exploit :

  • The “MallocLogFile” is passed to /usr/bin/rsh , since we are on a host argument then the rlogin() will process the logfile that will be afterward interpreted by libmalloc, that results in creating a new root-owned file with some content controlled at /etc/crontab ( crontab is a task scheduler on linux environment) which eventually would return a rootshell via sudo.Pretty cool isn’t it ;) ?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store