Safari Proxy Object Type Confusion

Metasploit committer timwr recently added a macOS Safari RCE exploit module based on a solution that saelo developed and used successfully at Pwn2Own 2018. saelo's exploit is a three-bug chain: a Safari RCE (CVE-2018-4233), a sandbox escape (CVE-2018-4404), and a macOS LPE to kernel (CVE-2018-4237). This Metasploit module exploits CVE-2018-4233 and CVE-2018-4404. timwr also added a macOS LPE module that exploits CVE-2018-4237 back in November of this year.

Remote code execution is achieved by taking advantage of a bug in the WebKit directed flow graph (DFG) just-in-time (JIT) compiler. Using the JavaScript Proxy Object, it is possible to inject arbitrary code due to type confusion during the execution of the CreateThis operation. The macOS Safari exploit module uses this technique to inject shellcode that bootstraps the sandbox breakout stage by writing a .dylib to disk and loading it into the WebContent process via dlopen(). The loaded code then uses launchd's legacy_spawn API to spawn a process that executes a malicious payload outside of the sandbox. The API fails to validate whether the caller is allowed to spawn such a process. Safari versions for macOS 10.12 through 10.13.3 are vulnerable.

Erlang Port Mapper Daemon Cookie RCE

wetw0rk added an Erlang RCE module based on an article written by Daniel Mende. This exploit targets the Erlang Port Mapper Daemon (EPMD), which is used to coordinate distributed Erlang nodes. An authentication cookie is used as a shared "secret password" between nodes. There is an implicit vulnerability in the fact that the cookie is a simple string and is usually stored in ~/.erlang.cookie. By default, it is a random string of 20 characters from [A-Z]. If an attacker gains the cookie, then they can gain access to a process running on an Erlang node. RCE becomes trivial. The Erlang command os:cmd('id')., for example, can be run to execute the system id command.

New Modules

Exploit modules (2 new)

Auxiliary and post modules (1 new)

Improvements

  • Negative test case added to the nc -j check for the post/multi/escalate/cups_root_file_read module, by wvu-r7
  • Startup error fixed for the VAX reverse_tcp payload, by LouDnl
  • TARGETURI support added to the struts2_namespace_ognl module, by wvu-r7
  • Support added for an alternate Web UI port in the hp_van_sdn_cmd_inject module, by wvu-r7
  • Checks and cleanup improved for the exploit/linux/local/bpf_priv_esc module, by bcoles
  • Arbitrary user-agent support added to the HTTP/HTTPS payloads, by busterb

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

To install fresh, check out the open-source-only Nightly Installers,or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.