Gain root without running commands through su

Question

Gain root without running commands through su

Thyssenkrupp234 opened this issue 2 years ago · 7 comments

I'm developing an app, ra1nm8, for macOS using the MDC bug. Currently it exploits the system and runs your method with replacing su, however su -c doesn't work on macOS. How can I use MDC to be able to execute code with root, such as through sudo, where sudo doesn't ask for your admin password?

Thank you for developing this exploit!

Answer 1 · 2023-03-28T01:31:11.000Z

Why... do you need this on a Mac? Macs let you set your own admin password, so there's no need to try to "jailbreak" a Mac. (And public / school Macs are probably patched against this exploit by now.)

Answer 2 · 2023-03-28T04:07:20.000Z

The "jailbreak" app is indeed meant for a school device I have been allowed to experiment with. I have found a way to bypass Jamf protect. Is it possible to use it in the way i mentioned above?

Thanks @zhuowei.

edit: also using to experiment with M1s and how to bypass their security.

Answer 3 · 2023-03-28T04:30:44.000Z

a school device I have been allowed to experiment with

I strongly recommend that you do not attempt this on a school computer. When the school lent you a computer, you likely had to agree to terms about what you're allowed to do with the computer. Please verify if this is within those allowed categories.

If you do not have access to another Mac, you may want to try installing macOS in a virtual machine instead.

That being said:

the manpage for macOS's su seems to show that it takes an argument for a command to run: maybe that would work?
or you could try overwriting sudo's config file at /etc/pam.d/sudo instead to make it always pass. See SSLabs@Gatech's presentation for how they overwrote su's config file (that's where I learned how to do this). Note that you may need to pad the file with spaces, since you can only write files of the same length.

Answer 4 · 2023-03-28T04:38:43.000Z

Thanks for the warning - My school is allowing me to test the security system against MDC after I reported it to them. However, I will test this on my own mac running 12.6.1 and 10.13.6.

On linux, su -c <code> worked, however on macOS it doesn't seem to work.

I have no idea how the /etc/pam.d/su overwrote worked, however I'll look into that.

Thanks!

Answer 5 · 2023-03-28T04:45:45.000Z

One potential way: you could just write your commands into the shell spawned by su.

e.g. echo whoami | su on my computer does run "whoami" if I'm already running as root. I assume it would also work here.

Their presentation showed how they edited /etc/pam.d/login to replace all the pam_(whatever).so with pam_permit.so to make login allow logins without a password. I did the same for /etc/pam.d/su (although for su I only needed to replace the first one)

Answer 6 · 2023-03-28T15:24:40.000Z

Your solution does allow to execute commands through su, however after a test I found this out:

$ port selfupdate | su

Error: Insufficient privileges to write to MacPorts install prefix

Then, I entered the su itself, and then dropped the command, and it worked.

I'm also experimenting with su -l root `, however it seems the cmd would need to be in a shell script.

I'll take a more thorough look at the presentation, thank you!

Answer 7 · 2023-03-28T15:29:45.000Z

Update!

I finally got it working. su root -c 'port upgrade outdated seemed to be the only way to exec commands. I got confused originally as -c wouldn't work w/o you specifying to login with root.

Thanks for your assistance, I'll look into the presentation to attempt to patch sudo, if it is needed.

Have a great day!