cbcvebase.
CVE-2012-4284
published 2020-01-10

CVE-2012-4284: A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which…

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
69.52%
99.3th percentile
A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which could let a remote malicious user execute arbitrary code

Affected

1 ranges
VendorProductVersion rangeFixed in
sparklabsviscosity

Detection & IOCsextracted from sources · hover to see the quote

path/Applications/Viscosity.app/Contents/Resources/ViscosityHelper
path/tmp/pwn/site.py
commandln -s -f -v /Applications/Viscosity.app/Contents/Resources/ViscosityHelper /tmp/pwn/root
commandfind /Applications/Viscosity.app/Contents/Resources/ViscosityHelper -type f -user root -perm -4000
path/tmp/site.py
  • Alert on symlink creation pointing to /Applications/Viscosity.app/Contents/Resources/ViscosityHelper from any directory other than the application bundle, especially /tmp.
  • Detect ViscosityHelper executing with a working directory of /tmp or other writable paths — legitimate use should only run from within the Viscosity application bundle.
  • Watch for os.setuid(0) / os.setgid(0) calls originating from a Python process spawned by ViscosityHelper (setuid root), indicating successful privilege escalation via the injected site.py.
  • Flag chmod 6777 applied to a newly dropped executable in /tmp by a root-owned process — this is the Metasploit module's payload staging step after exploitation.
  • Check for ViscosityHelper being invoked with a setuid bit (find -type f -user root -perm -4000) as part of attacker reconnaissance prior to exploitation.
  • ·The exploit only works against Viscosity version 1.4.1 on Mac OS X; patched or newer versions are not affected.
  • ·The Metasploit module requires an existing shell session (local access) and targets both x86 and x64 architectures; it is a local privilege escalation, not a remote exploit.
  • ·The writable directory defaults to /tmp; defenders should note that the exploit artifacts (symlink, site.py, site.pyc, payload EXE) are left on disk unless manually cleaned.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.