@mirabilos @osxreverser
tldr:
vulnerable macos lets non-root users mount filesystems with the "noowners" option, which will treat all files as owned by current user, regardless of the actual file ownership value on the filesystem.
so you mount the system disk with noowners, find a file owned by root, change the contents to an executable, and chmod +setuid. then you can gain root using the filesystem mounted normally.
this is a little complicated by an additional protection (SIP)
Conversation
Notices
-
Embed this notice
felix (grayscale) 🐺 (gray17@mastodon.social)'s status on Saturday, 30-Mar-2024 12:36:11 JST felix (grayscale) 🐺
- Haelwenn /элвэн/ :triskell: likes this.