LPE via File Permissions
Various third-party applications and installers modify default directory permissions to create vulnerable scenarios. Our ability to escalation privileges depends on the applications installed on the system. There are three file permission scenarios we can quickly look for:
1. Direct Write Privileges
Directory privileges can extend or override file permissions. Even if a target file is owned by a different user, directory privileges may allow us to modify the file. Modifying files that applications don’t expect may allow us to replace binaries, change configurations, etc. For static analysis, try using enum_file_permissions.py or enum_file_permissions.sh to quickly discover potential issues (the Python script has been tested more, but th Bash script is a good fallback if Python is removed or blocked).
2. Path Hijacking
The directories listed it the PATH env var dictate how macOS searches for executables on the system. If we can write executables to a directory at the beginning of the path, it may be possible to trick a process running as root to execute the wrong file.
- The default PATH, even for root, begins with
/usr/local/bin. This is fine initially because only root can write to it, but third-party applications often misuse this directory. For example, the Brew package manager changes the permissions of the directory so the developer can install packages without root. - Common developer tools (Gcloud SDK, Node) may also prefix the root path with user-writeable directories.
3. Privileged Write
Applications with root privileges may copy or write files to an accessible path. If we can execute code before this write, we may be able to create a symlink at the write target that points to a file we want to overwrite. This technique can be used to overwrite service or startup scripts execute as root. For dynamic analysis, try using FileMonitor on a test machine with the same applications installed.
Exploitation of these vulnerabilities typically involves creating a symlink at the location a privileged application writes to. This symlink can create a new LaunchAgent/LaunchDaemon or potentially modify sensitive PAM config files.
I haven’t found a way to escalate using arbitrary file deletion.