-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Documentation] How can I install this fix? #1
Comments
There was an installation description, but now it is gone. Wonder why is that? However I assume it wasn't working as described, because I went through it step by step and it wasn't working, Any update, please? |
You need to go to the releases tab and download the .kext folder from there. Alternatively you can compile from source, for which you need to use the XCode IDE, but this can be skipped if you aren't modifying the files. This is a Kernel Extension, and needs to be placed in specific location. This website describes it quite well. |
@Archosian: Yes, that is exactly what I did. I have tried 2 different things: I removed the extension and rebooted again. 2.) I copied the SUIDGuard.kext via Terminal. This time I didn't saw the error about that the extension isn't correctly installed and a went on with the chmod and chown. After that the kextcache still was;t there. So I rebooted. After the reboot the extension still doesn't show in the kextstats Any idea? I loaded the SUIDGuard.xcodeproj into my Xcode and built it as described. Then I went on with the steps as described in the website how to install third party extensions, Thanks for your help. Axel |
I'm having the exact same problem having followed the exact same steps. I did manage to manually load the kext with kextutil and confirmed that the sample exploit no longer worked. But when I rebooted, the kext wasn't loaded and the exploit worked again. Sent from my iPhone |
It seems to be due to a lack of signing: $ kextutil SUIDGuard.kext UPDATE: This was because I built it myself. I was able to load the one from releases as it's signed, but it doesn't appear to load automatically on boot for me either. |
@jbane: Yep... Same error here. How do we get around this? Can we sign this or do we have to force it around without signing? Not too familiar with the signing bit of this kind of coding :-( |
@aseedig The signed version is obtained from release, check the release tab in the main page. |
Tried that... Congrats.. It works now. After reboot the SUIDGuard is active. Thanks a lot for the great help. Axel |
@aseedig What did you do to get it to load after reboot? |
@jbane: Yes. After reboot it loaded for me. |
Ok, the reason I redacted my instructions this morning was because I ran into that same error with Yosemite kernel extension handling, and that is why I asked about the signing in the other issue post. I will now resubmit the directions for those who are perhaps less familiar with the command line, but are still savvy enough to care about patching 0-days.
Does this seem right to everyone? |
Nope, doesn't persist through reboot with this guide. I was thinking it might be related to the file having quarantine xattr, but nope, wgeting the file anew doesn't help either. |
Here are my observations: Seems this extension has it's own mind :-) Sorry... Worked once, but now it doesn't and I cannot explain why. Axel |
I can confirm the same behavior. |
Same problem here too. I made a utility to install the kext and posted the utility on a Mac forum where I hang out. Many people are having the problem where the kext does not load on reboot. |
Care to direct me to the forum in question? Or the title of the post? Thank you, |
@joncohen The forum is private. But what are you really looking for? The install utility? I can provide that. It has been fixed to work around the load at boot problem by creating a LaunchDaemon to load the kext during boot. Not the right way, but it works. Double-click to install. Double-click to uninstall. The code is in the "script" file in the Resources folder. It requires an admin account to install the kext to the System folder. |
I am experiencing the same issue where the kext loads, but doesn't load on next reboot. |
For your convenience, I made a launch script to load the kext at startup. You should probably change the Reboot and verify with NOTE: The script assumes that you have put the kext into |
Thanks @temokles but unfortunately that still doesn't load at boot for me. |
@spbriggs does it load when you manually load it using |
@temokles yes I can load it manually. It's the pre-compiled, signed version
from the releases tab.
|
@spbriggs hm... strange... have you looked into the system log for errors? |
@temokles yes, no sign of anything at all happening :-S Simon Briggs On 24 July 2015 at 09:06, temokles [email protected] wrote:
|
@spbriggs maybe try |
I'm getting exit code 3 when I run launchctl from command line. I've On 24 July 2015 at 09:31, temokles [email protected] wrote:
|
Could you guys please try the SUIDGuardNG.pkg that I just put into the release? It converts the KEXT to an IOKit based kext that is loaded on boot automatically. |
Works for me @stefanesser . Thank you! |
Maybe a dumb question, but does the package include the SUIDGuard or is this just a kind of a load helper? I have installed the package, but had removed the SUIDGuard before that installation. |
OK, never mind. It was a stupid question. Anyway just to confirm the order of installation which made it work for me, to all who still hack around:
This worked for me and I double tested it by removing the SUIDGuard and re-installed the whole lot as described. After a reboot the extension has been loaded and is working. A big THANK YOU @stefanesser and the group for all the hard work and the testing. Axel |
You don’t need BOTH. Remove the old one. Start on step 11.
|
I feel like I'm missing something. I installed the package and confirmed that it applies after reboot:
However, if I execute the following:
I'm still passed into a root enabled bash prompt where I can create / edit root content.
Is this expected functionality? |
@joncohen: When I try your command, the system asks me for the admin password. Have you tried this without being root/admin? Just wondering, because if you use sudo you are root. Or did I misunderstood your post? |
Most people are not aware that once they execute the command that you used you permanently backdoored your system. Your /etc/sudoers file now contains the line "username ALL=(ALL) NOPASSWD:ALL at the very end To see if the attack is blocked you guys can do kernel[0]: SUIDGuard: found and neutralized DYLD_ environment variable for SUID/SGID root binary |
"backdoored" is not the right word, but yeah, don't leave yourself with passwordless sudo on a desktop |
Well from what @joncohen posted it is visible that the attack is actually blocked. |
Ah, thank you for that explanation and for the work in getting this out to all of us. |
I have a question: Now if I enter the password, SUIDGuard blocks the attack as expected, but I still end up in a root shell. My sudoers file looks like this:
**** END OF FILE **** The only 'NOPASSWORD:ALL' is commented out (#%wheel ALL=(ALL) NOPASSWORD: ALL) Is my assumption correct, that as soon as you enter the password the exploit will end up in a root shell? I had the impression the attack cannot take place as long as the attacker has no password. Or am I misunderstanding this concept? Axel |
Let me explain this: echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
So the fact that it asks you for your password means the exploit failed. But of course after entering your password you are allowed to use sudo and spawn a root shell. |
@stefanesser, thank you for the detailed explanation. That is what I expected and what I thought ;-) I just wanted to make sure I got it right. Thank you for your hard work. |
For the people having problems getting the permissions right, you should do a recursive copy as root (sudo works fine) since a *.kext is a package. This will set the permissions and owner:group on all the contents of the package correctly and you won't have to monkey round with
Then, either reboot or
which should load the kext without the need to reboot. |
If kextload doesn't persist through a reboot then you may wish to launch at startup using a LaunchDaemon. This is what I have done and works wonderfully. |
@peterlewis , good idea. Could you maybe write down how to do that? Some might not be aware that you can. Also, I should add. The recursive copy as I described above will set the owner and permissions to root:wheel 0700 instead of 0755. But it seems to work just fine, so I did not change it. |
can't find the tar.z2 file mentioned |
No description provided.
The text was updated successfully, but these errors were encountered: