{"id":43167,"date":"2024-05-09T14:49:46","date_gmt":"2024-05-09T18:49:46","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=43167"},"modified":"2024-05-09T14:49:46","modified_gmt":"2024-05-09T18:49:46","slug":"root-privilege-escalation-via-diskutil","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2024\/05\/09\/root-privilege-escalation-via-diskutil\/","title":{"rendered":"Root Privilege Escalation via diskutil"},"content":{"rendered":"<p><a href=\"https:\/\/hackhunting.com\/2024\/04\/05\/easy-root-privilege-escalation-in-apple-macos-ventura-sonoma-monterey-cve-2023-42931\/\">Eswar<\/a>:<\/p>\n<blockquote cite=\"https:\/\/hackhunting.com\/2024\/04\/05\/easy-root-privilege-escalation-in-apple-macos-ventura-sonoma-monterey-cve-2023-42931\/\"><p>A new local privilege escalation vulnerability has been discovered in macOS which could allow any user to escalate their privileges to root by mounting filesystems using &ldquo;diskutil&rdquo; command line utility. This new vulnerability has been assigned with <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-42931\">CVE-2023-42931<\/a> and the severity is yet to be categorized.<\/p><p>[&#8230;]<\/p><p>If a user has mount privileges on the macOS, then the user needs to find a file which has the following conditions.<\/p><ul><li>Owned by root when mounted in &ldquo;owners&rdquo; mode;<\/li><li>Considered owned by myself when mounted in &ldquo;noowners&rdquo; mode;<\/li><li>Not protected by SIP.<\/li><\/ul><p>[&#8230;]<\/p><p>After creating this suidshell binary, the next step would be to mount the targeted filesystem with the &ldquo;noowners&ldquo; flag. Then the researcher proceeded to make the &ldquo;.file&rdquo; writable and copy the suidshell binary into the &ldquo;.file&rdquo;.<\/p><\/blockquote>\n<p>Apple fixed this late last year.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/12\/12\/macos-14-2\/\">macOS 14.2<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2023\/12\/12\/macos-13-6-3-and-macos-12-7-2\/\">macOS 13.6.3 and macOS 12.7.2<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>Eswar: A new local privilege escalation vulnerability has been discovered in macOS which could allow any user to escalate their privileges to root by mounting filesystems using &ldquo;diskutil&rdquo; command line utility. This new vulnerability has been assigned with CVE-2023-42931 and the severity is yet to be categorized.[&#8230;]If a user has mount privileges on the macOS, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2024-05-09T18:49:48Z","apple_news_api_id":"964326aa-f8b7-4bf1-af09-cb17640d5c2b","apple_news_api_modified_at":"2024-05-09T18:49:48Z","apple_news_api_revision":"AAAAAAAAAAD\/\/\/\/\/\/\/\/\/\/w==","apple_news_api_share_url":"https:\/\/apple.news\/AlkMmqvi3S_GvCcsXZA1cKw","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[2095,546,30,2077,2223,2385,48],"class_list":["post-43167","post","type-post","status-publish","format-standard","hentry","category-technology","tag-exploit","tag-ownership","tag-mac","tag-macos-12","tag-macos-13-ventura","tag-macos-14-sonoma","tag-security"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=43167"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43167\/revisions"}],"predecessor-version":[{"id":43168,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/43167\/revisions\/43168"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=43167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=43167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=43167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}