issetugid() + rsh + libmalloc OS X Local Root
https://packetstormsecurity.com/files/133826/osx-rsh.py.txt
https://packetstormsecurity.com/files/133826/osx-rsh.py.txthttps://packetstormsecurity.com/files/133826/issetugid-rsh-libmalloc-OS-X-Local-Root.htmlSat, 03 Oct 2015 00:08:13 GMTThe default root-suid binary /usr/bin/rsh on Mac OS X uses execv() in an insecure manner. /usr/bin/rsh will invoke /usr/bin/rlogin if launched with only a host argument, without dropping privileges or clearing the environment. This exploit will pass "MallocLogFile" to /usr/bin/rsh, which is then passed on to rlogin and interpreted by libmalloc to create a root-owned file with partially controlled contents at /etc/crontab which gives a rootshell via sudo. Tested on 10.9.5 / 10.10.5 but it most likely works on much older versions too.