Thursday, May 9, 2024

Root Privilege Escalation via diskutil

Eswar:

A new local privilege escalation vulnerability has been discovered in macOS which could allow any user to escalate their privileges to root by mounting filesystems using “diskutil” command line utility. This new vulnerability has been assigned with CVE-2023-42931 and the severity is yet to be categorized.

[…]

If a user has mount privileges on the macOS, then the user needs to find a file which has the following conditions.

  • Owned by root when mounted in “owners” mode;
  • Considered owned by myself when mounted in “noowners” mode;
  • Not protected by SIP.

[…]

After creating this suidshell binary, the next step would be to mount the targeted filesystem with the “noowners“ flag. Then the researcher proceeded to make the “.file” writable and copy the suidshell binary into the “.file”.

Apple fixed this late last year.

Previously:

Comments RSS · Twitter · Mastodon

Leave a Comment