CVE-2018-7281

Vulnerability

The vulnerability exists in CactusVPN for macOS version 5.3.6. A setuid root binary named runme takes a single command-line argument and passes it directly to the system() function [1]. This allows any low-privileged user to execute arbitrary commands with root privileges. The affected version is 5.3.6; the vendor has released a fix.

Exploitation

An attacker needs local access to a macOS system running CactusVPN 5.3.6. No authentication beyond a standard user account is required. The attacker simply runs the runme binary with a command as the argument, e.g., ./runme "whoami", and the command executes as root due to the setuid bit and the system() call.

Impact

Successful exploitation allows an attacker to execute arbitrary commands with root privileges, leading to full compromise of the system. This includes the ability to install software, modify system files, create new users, and perform any action as the superuser.

Mitigation

The vendor CactusVPN has remediated the vulnerability in a patched version [1]. According to the disclosure timeline, the fix was validated on February 21, 2018. Users should update to the latest version of CactusVPN for macOS. No workaround is mentioned; the setuid binary should be removed or permissions changed if update is not possible.