Rapid7 Vulnerability & Exploit Database

Mac OS X Sudo Password Bypass

Back to Search

Mac OS X Sudo Password Bypass

Disclosed
02/28/2013
Created
05/30/2018

Description

This module gains a session with root permissions on versions of OS X with sudo binary vulnerable to CVE-2013-1775. Tested working on Mac OS 10.7-10.8.4, and possibly lower versions. If your session belongs to a user with Administrative Privileges (the user is in the sudoers file and is in the "admin group"), and the user has ever run the "sudo" command, it is possible to become the super user by running `sudo -k` and then resetting the system clock to 01-01-1970. This module will fail silently if the user is not an admin, if the user has never run the sudo command, or if the admin has locked the Date/Time preferences. Note: If the user has locked the Date/Time preferences, requests to overwrite the system clock will be ignored, and the module will silently fail. However, if the "Require an administrator password to access locked preferences" setting is not enabled, the Date/Time preferences are often unlocked every time the admin logs in, so you can install persistence and wait for a chance later.

Author(s)

  • Todd C. Miller
  • joev <joev@metasploit.com>
  • juan vazquez <juan.vazquez@metasploit.com>

Platform

OSX

Architectures

x86, x64, cmd

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/osx/local/sudo_password_bypass
msf exploit(sudo_password_bypass) > show targets
    ...targets...
msf exploit(sudo_password_bypass) > set TARGET < target-id >
msf exploit(sudo_password_bypass) > show options
    ...show and set options...
msf exploit(sudo_password_bypass) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;