Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

OS X Local Root: Silly SUID Helper in Tunnel Blick

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


Jason at zx2c4

Aug 11, 2012, 12:19 AM

Post #1 of 2 (185 views)
Permalink
OS X Local Root: Silly SUID Helper in Tunnel Blick
Tunnel Blick is a fun punching bag. Lots of possible exploits.

Lots of vulnerable SUID code:
http://code.google.com/p/tunnelblick/source/search?q=openvpnstart.m&origq=openvpnstart.m&btnG=Search+Trunk

One such exploit: http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.c

Bla bla demonstration: http://www.youtube.com/watch?v=T6PBfLgEGxM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Jason at zx2c4

Aug 11, 2012, 8:06 AM

Post #2 of 2 (169 views)
Permalink
Re: OS X Local Root: Silly SUID Helper in Tunnel Blick [In reply to]
In case there was any debate over what I meant by "fun punching bag",
here's a shell script that gets root by a different vector:

http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.sh
http://www.youtube.com/watch?v=8DUNWEzaL2U


You can also fool the program into loading arbitrary kernel modules,
among other things.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.