Appears that this vulnerability
maydoes exist everywhere the shebang#!/bin/zsh
is being used sans--no-rcs
Author’s Note: Speed trumps quality for this post and — as always — its price is at least worth what you paid.
Background
While the description for CVE-2024-27301 accurately references Jordy Witteman’s macOS Support App, the vulnerability may appears to exist everywhere the shebang #!/bin/zsh
is being used sans --no-rcs
.
Support App is an opensource application specialized in managing Apple devices.
It’s possible to abuse a vulnerability inside the postinstall installer script to make the installer execute arbitrary code as
root
.The cause of the vulnerability is the fact that the shebang
#!/bin/zsh
is being used.When the installer is executed it asks for the users password to be executed as
root
. However, it’ll still be using the$HOME
of the user and therefore loading the file$HOME/.zshenv
when thepostinstall
script is executed.An attacker [— or your co-worker whose account is a Standard User —] could add malicious code to
$HOME/.zshenv
and it will be executed when the app is installed.An attacker [— or your co-worker who isn’t an admin —] may leverage this vulnerability to escalate privilege on the system.
This issue has been addressed in version [2.5.2]. All users are advised to upgrade.
There are no known workarounds for this vulnerability.
SQL Update Statement
(Please ensure you have a known-working database backup before proceeding.)
Scripts
The following SQL UPDATE
statement will find-and-replace #!/bin/zsh
with #!/bin/zsh --no-rcs
in scripts you’ve manually added to Jamf Pro.
/* Find scripts which include the shebang #!/bin/zsh */ SELECT script_id,file_name,LEFT(script_contents, 20) FROM scripts WHERE script_contents LIKE '%/bin/zsh%'; /* Carefully review results to confirm '--no-rcs' has NOT already been added to '#!/bin/zsh' */ /* Replace '/bin/zsh' with '/bin/zsh --no-rcs' (DON'T EXECUTE MORE THAN ONCE!) */ UPDATE scripts SET script_contents = REPLACE(script_contents, '/bin/zsh', '/bin/zsh --no-rcs') WHERE script_contents LIKE '%/bin/zsh%'; /* Double-check your work */ SELECT script_id,file_name,LEFT(script_contents, 20) FROM scripts WHERE script_contents LIKE '%/bin/zsh%'; /* Correct any LaunchDaemons */ SELECT script_id,file_name,LEFT(script_contents, 20) FROM scripts WHERE script_contents LIKE '%<string>/bin/zsh --no-rcs</string>%'; UPDATE scripts SET script_contents = REPLACE(script_contents, '<string>/bin/zsh --no-rcs</string>', '<string>/bin/zsh</string>') WHERE script_contents LIKE '%<string>/bin/zsh --no-rcs</string>%';
Extension Attributes
The following SQL UPDATE
statement will find-and-replace #!/bin/zsh
with #!/bin/zsh --no-rcs
in Extension Attributes you’ve manually added to Jamf Pro.
/* Find Extension Attributes which include the shebang #!/bin/zsh */ SELECT extension_attribute_id,display_name,LEFT(script_contents_mac, 20) FROM extension_attributes WHERE script_contents_mac LIKE '%/bin/zsh%'; /* Carefully review results to confirm '--no-rcs' has NOT already been added to '#!/bin/zsh' */ /* Replace '/bin/zsh' with '/bin/zsh --no-rcs' (DON'T EXECUTE MORE THAN ONCE!) */ UPDATE extension_attributes SET script_contents_mac = REPLACE(script_contents_mac, '/bin/zsh', '/bin/zsh --no-rcs') WHERE script_contents_mac LIKE '%/bin/zsh%'; /* Double-check your work */ SELECT extension_attribute_id,display_name,LEFT(script_contents_mac, 20) FROM extension_attributes WHERE script_contents_mac LIKE '%/bin/zsh%';
Upgrade?
The description for CVE-2024-27301 includes the statement:
All users are advised to upgrade.
However, since the issue is specific to a post-install script, upgrading existing installations to 2.5.2
won’t remediate anything.
In my humble opinion, a more accurate recommendation would be written as:
MacAdmins deploying Support.app are advised to begin deploying version 2.5.2 immediately.
Fear Mongering?
While my “[— or your co-worker who isn’t an admin —]” and “[— or your co-worker whose account is a Standard User —]” may end up being classified as fear mongering, caution is recommended while additional testing is conducted.
Additional Reading
- MacAdmins #nudge Channel Post (Erik Gomez)
- zsh scripts and Root Escalations (Armin Briegel)