🤬
Enable build support by adding .buildspec.yml
.gitignore Loading last commit info...
GPG_Suite-2018.5.dmg
LICENSE
OBTS_v2_Bradley.pdf
ProVideoFormats.dmg
README.md
gpg_poc
root_exploit
sip_poc
README.md

CVE-2019-8561 _ CVE-2022-32895

Proof of concept exploit for CVE-2019-8561 discovered by Jaron Bradley (@jbradley89) (Patched in macOS 10.14.4). This script exploits a TOCTOU bug in installer which enables code execution as root.

Apple addressed this vulnerability again in macOS 13 (Ventura) as CVE-2022-32895 on Oct. 24, 2022.

See Jaron's Objective By the Sea v2 talk "Bad Things in Small Packages" where he demonstrates getting r00t and bypassing SIP.

(N.B All scripts other than gpg_poc are half finished and likely don't work in their current state. Published for sake of completeness)

My accompanying blog post "CVE-2019-8561 Proof of Concept Exploit".

gpg_poc

Monitors$HOME/Downloads for a GPG Suite DMG. When it finds one it converts the DMG from read only to RW then resizes it to 60MB.

Once the installer starts it expands the package, modifies the preinstall script to create /var/test via touch then flattens it in place of the original package.

The modified package contents will be used by installer however the UI will still indicate that the package is correctly code signed.

Tested on:

  • 10.14.2
Please wait...
Page is in error, reload to recover