module
Mac OS X Sudo Password Bypass
| Disclosed | Created |
|---|---|
| 02/28/2013 | 05/30/2018 |
Disclosed
02/28/2013
Created
05/30/2018
Description
This module gains a session with root permissions on versions of OS X with
sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,
and possibly lower versions.
If your session belongs to a user with Administrative Privileges
(the user is in the sudoers file and is in the "admin group"), and the
user has ever run the "sudo" command, it is possible to become the super
user by running `sudo -k` and then resetting the system clock to 01-01-1970.
This module will fail silently if the user is not an admin, if the user has never
run the sudo command, or if the admin has locked the Date/Time preferences.
Note: If the user has locked the Date/Time preferences, requests to overwrite
the system clock will be ignored, and the module will silently fail. However,
if the "Require an administrator password to access locked preferences" setting
is not enabled, the Date/Time preferences are often unlocked every time the admin
logs in, so you can install persistence and wait for a chance later.
sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4,
and possibly lower versions.
If your session belongs to a user with Administrative Privileges
(the user is in the sudoers file and is in the "admin group"), and the
user has ever run the "sudo" command, it is possible to become the super
user by running `sudo -k` and then resetting the system clock to 01-01-1970.
This module will fail silently if the user is not an admin, if the user has never
run the sudo command, or if the admin has locked the Date/Time preferences.
Note: If the user has locked the Date/Time preferences, requests to overwrite
the system clock will be ignored, and the module will silently fail. However,
if the "Require an administrator password to access locked preferences" setting
is not enabled, the Date/Time preferences are often unlocked every time the admin
logs in, so you can install persistence and wait for a chance later.
Authors
Todd C. Millerjoev juan vazquez
Platform
OSX
Architectures
x86, x64, cmd
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/osx/local/sudo_password_bypass
msf /(s) > show actions
...actions...
msf /(s) > set ACTION < action-name >
msf /(s) > show options
...show and set options...
msf /(s) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.