A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0’s Install Helper helper tool. A user with local access can use this vulnerability to escalate their privileges to root. An attacker would need local access to the machine for a successful exploit.
Renderman 22.3.0 for Mac OS X
9.0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE-749: Exposed Dangerous Method or Function
Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. When installing the Mac OS X version of the application, a helper tool is installed and launched as root. This service continues to listen even after completing installation. The vulnerability comes in with a lack of verification in the
Dispatch function. The caller of this function is not checked and the functionality is exposed to any user.
The vulnerability exists because of an incorrectly applied patch. The patch restricts the program to be executed to the system installer and allows any installation package to be chosen. An attacker can use this to install an arbitrary program onto the computer as root. This creates a privilege escalation situation.
Included with this advisory is a C source file, as well as a OSX package. The package needs to be put into
/tmp/root.pkg. The command
nc -l 1337 needs to be executed in a separate terminal window to accept the root shell.
2019-02-01 - Vendor Disclosure
2019-03-06 - Public Release
Discovered by Tyler Bohan of Cisco Talos.