-
macOS cfprefsd Arbitrary File Write Local Privilege Escalation
Disclosure Date: 2020-03-18First seen: 2020-09-04exploit/osx/local/cfprefsd_race_conditionThis module exploits an arbitrary file write in cfprefsd on macOS <= 10.15.4 in order to run a payload as root. The CFPreferencesSetAppValue function, which is reachable from most unsandboxed processes, can be exploited with a race condition in order to overwrite an arbitrary file as root. By overwriting /etc/pam.d/login a user can then login as root with the `login root` command without a password. Authors: - Yonghwi Jin <jinmoteam@gmail.com> - Jungwon Lim <setuid0@protonmail.com> - Insu Yun <insu@gatech.edu> - Taesoo Kim <taesoo@gatech.edu> - timwr -
Safari in Operator Side Effect Exploit
Disclosure Date: 2020-03-18First seen: 2020-10-01exploit/osx/browser/safari_in_operator_side_effectThis module exploits an incorrect side-effect modeling of the 'in' operator. The DFG compiler assumes that the 'in' operator is side-effect free, however the <embed> element with the PDF plugin provides a callback that can trigger side-effects leading to type confusion (CVE-2020-9850). The type confusion can be used as addrof and fakeobj primitives that then lead to arbitrary read/write of memory. These primitives allow us to write shellcode into a JIT region (RWX memory) containing the next stage of the exploit. The next stage uses CVE-2020-9856 to exploit a heap overflow in CVM Server, and extracts a macOS application containing our payload into /var/db/CVMS. The payload can then be opened with CVE-2020-9801, executing the payload as a user but without sandbox restrictions. Authors: - Yonghwi Jin <jinmoteam@gmail.com> - Jungwon Lim <setuid0@protonmail.com> - Insu Yun <insu@gatech.edu> - Taesoo Kim <taesoo@gatech.edu> - timwr
2 metasploit modules found
Please note: Metasploit modules are only matched by CVE numbers.
Visit metasploit web site for more details