Table of Contents

• Introduction
• Analysis
• Exploitation
• References

Introduction

NoMachine is a free remote desktop solution which features higher speeds than usual competitors. I have identified the possibility to overwrite root-owned files and after I have created PoC, I have contacted NoMachine team which was quick to address the vulnerability and to issue the new update.

The vulnerability was affecting NoMachine free edition and Enterprise Client for macOS and it is fixed in version v8.8.1.

Analysis

NoMachine application writes log files to the directory /Library/Application Support/NoMachine/var/log. Examining the permissions of this directory we can see that the directory is owned by the user nx and that rwx is set for everyone.

The directory contains a couple of .log files. Because we are granted rwx we can simply create a hardlink which points to the root-owned file and once the application writes something to the log file, that root-owned file would get overwritten.

Exploitation

To exploit the vulnerability, we need to simply create the hardlink. As a root user, we will create /Library/secret file and make nxserver.log as a hardlink to that file.