diff --git a/modules/exploits/osx/local/packagekit_zshenv_privesc.rb b/modules/exploits/osx/local/packagekit_zshenv_privesc.rb index 799555c81b319..eaf668caf858c 100644 --- a/modules/exploits/osx/local/packagekit_zshenv_privesc.rb +++ b/modules/exploits/osx/local/packagekit_zshenv_privesc.rb @@ -81,7 +81,7 @@ def initialize(info = {}) def check version = Rex::Version.new(get_system_version) - + if version >= Rex::Version.new('14.5') CheckCode::Safe("macOS #{version} is patched (fixed in 14.5)") elsif version >= Rex::Version.new('14.0') @@ -95,6 +95,9 @@ def check elsif version >= Rex::Version.new('12.0') CheckCode::Appears("macOS #{version} is vulnerable") else + if version < Rex::Version.new("10.14") + return CheckCode::Detected("macOS #{version} detected, but zsh does not exists") unless executable?("/bin/zsh") + end CheckCode::Appears("macOS #{version} (11 and older) is vulnerable") end end @@ -106,6 +109,8 @@ def exploit home_dir = create_process('printenv', args: ['HOME']).strip fail_with(Failure::BadConfig, 'Unable to determine home directory') if home_dir.blank? zshenv_path = "#{home_dir}/.zshenv" + + fail_with(Failure::Unknown, "The .zshenv is not writable") if exist?(zshenv_path) && !writable?(zshenv_path) # Preserve original .zshenv so we can restore it after root execution original_zshenv = file?(zshenv_path) ? read_file(zshenv_path) : ''