This write-up only covers macOS, but this issue may also affects Windows version.
Analysis
The patch was addressed in APSB18-12:
Adobe Creative Cloud installs a daemon with root privilege:
/Library/PrivilegedHelperTools/com.adobe.acc.installer
It accepts XPC connections via NSXPCConnection remote interface. There's a method handleAction:withReply: in SMJobBlessHelper class that is exposed to non-rooted processes. The messages are serialized in XML.
For example, the following message will launch a process as root:
But there are signature checks, both upon establishing the connection and before the process creation:
Inside OOBEUtils::CryptUtils::GetCANameChain, it simply invokes /usr/bin/codesign command to validate the caller and the new process.It's clear to see that there is a TOCTOU.
- The call
usleep(100000)seems to be a long enough time window to modify the file. - And on macOS, it's not a even a problem to replace an executable while it's still running. Simply copying a Adobe signed binary to replace the malicious binary after process creation will bypass the check.
- It's not just the executable file, but also the pid can be racy. Please refer to Ian Beer's MacOS/iOS userspace entitlement checking is racy and Samuel Groß's Don't Trust the PID!. Use
execveorposix_spawnwithPOSIX_SPAWN_SETEXECattr for a deadly reliable exploit.
And we don't even bother racing with it…
- It uses a custom string match algorithm to parse output by codesign utility, and the parser looks buggy (didn't try that)
- I've seen
DYLD_INSERT_LIBRARIESworks for so many IPC caller validation bypass. Just attach your payload to the trusted executable. - Futhermore, there's a nodejs interpreter with valid code signature. So just write payload in javascript.
There are many signed node.js copies cross many distributions and share the same developer team id:
This one from Adobe Creative Cloud:
This one from Adobe Brackets Editor:
Do not trust script interpreter as a privilege boundary, because they are designed to execute untrusted code. The node.js interperter is also available on Windows. I did't test but I believe that it's easy to adopt the exploit to that.
Here's a woking exploit. nc -lvvv 4444 to get an interactive root shell.
Note that not only this XPC service is vulnerable. There are other libraries, like ElevationManager, share the same (vulnerable) code base, and can be trigger through other IPC mechanisms like FIFO files.
The Patch
Adobe removed the buggy codesign checker and made codesign requirement string more restrictive.