How to Find Local Root Exploit in HospitalRun on macOS

2023-07-22

[public] 28.7K views, 3.37K likes, dislikes audio only

Let's talk about a "security flaw in hospital software that allows full access to medical devices". This issue was disclosed on LinkedIn and included a full exploit code. Let's use this app as an example on how to find a macOS privilege escalation and learn how local root exploits can work.

Print BINGO sheet: https://twitter.com/liveoverflow/status/1682650394227351552

Sources:

Original LinkedIn Post: https://web.archive.org/web/20230424004137/https://www.linkedin.com/posts/jeanpereira00_sicherheitsl%C3%BCcke-in-krankenhaus-software-activity-7055185115584303104-2eZr

The Exploit code: https://0day.today/exploit/38531

"The project has been deprecated for 2 years. Version 1.0.0-beta has been an EOL for at least 5 years" - developer statement: https://twitter.com/tehkapa/status/1650059269939552256

My references finding priv esc issues in macOS apps:

https://github.com/cure53/Publications/blob/master/summary-report_tunnelbear.pdf

https://github.com/cure53/Publications/blob/master/summary-report_tunnelbear_2018.pdf

https://github.com/cure53/Publications/blob/master/summary-report_tunnelbear_2019.pdf

https://github.com/cure53/Publications/blob/master/pentest-report_IVPN.pdf

Help me pay for any legal trouble in case somebody wants to sue me (advertisement): https://shop.liveoverflow.com/

Chapters:

00:00 - Intro: Practice Research with Existing Issues

01:45 - HospitalRun Functionality

03:07 - What is a Local Root Exploit?

05:49 - Typical macOS Priviledge Escalation Issues

09:23 - Looking for Priviledged Helper in HospitalRun