This issue was addressed with improved checks. This issue is fixed in macOS Mojave 10.14.4. A local user may be able to execute arbitrary shell commands.
##
# This module requires Metasploit: metasploitcom/download
# Current source: githubcom/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::OSX::Priv
include Msf::Post::OSX::System
include Msf::Exploit::EXE
include Msf::Exp ...
This Metasploit module exploits a command injection in TimeMachine on macOS <= 10143 in order to run a payload as root The tmdiagnose binary on OSX <= 10143 suffers from a command injection vulnerability that can be exploited by creating a specially crafted disk label The tmdiagnose binary uses awk to list every mounted volume, and comp ...