Talos Vulnerability Report

TALOS-2019-0773

Pixar Renderman Install Helper Privilege Escalation Vulnerability

March 7, 2019
CVE Number

CVE-2019-5015

Summary

A local privilege escalation vulnerability exists in the Mac OS X version of Pixar Renderman 22.3.0's Install Helper helper tool. A user with local access can use this vulnerability to escalate their privileges to root. An attacker would need local access to the machine for a successful exploit.

Tested Versions

Renderman 22.3.0 for Mac OS X

Product URLs

https://renderman.pixar.com

CVSSv3 Score

9.0 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWE

CWE-19: Improper Input Validation

Details

Renderman is a rendering application used in animation and film production. It is widely used for advanced rendering and shading in many large-scale environments. When installing the Mac OS X version of the application, a helper tool is installed and launched as root. This service continues to listen even after completing installation. The vulnerability comes in with a lack of verification in the Dispatch function. The caller of this function is not checked and the functionality is exposed to any user.

The vulnerability exists because of an incorrectly applied patch. The patch restricts the program to be executed to the system installer and allows any installation package to be chosen. An attacker can use this to install an arbitrary program onto the computer as root. This creates a privilege escalation situation.

Exploit Proof of Concept

Included with this advisory is a C source file, as well as a OSX package. The package needs to be put into /tmp/root.pkg. The command nc -l 1337 needs to be executed in a separate terminal window to accept the root shell.

Timeline

2019-02-01 - Vendor Disclosure
2019-03-06 - Public Release

Credit

Discovered by Tyler Bohan of Cisco Talos.