exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
issetugid() + rsh + libmalloc OS X Local Root https://packetstormsecurity.com/files/133826/osx-rsh.py.txt https://packetstormsecurity.com/files/133826/osx-rsh.py.txt https://packetstormsecurity.com/files/133826/issetugid-rsh-libmalloc-OS-X-Local-Root.html Sat, 03 Oct 2015 00:08:13 GMT The default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.

Related Files

No related files
packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close