I like things well done and the healthy discussion with snare about this topic remembered me this PoC was a bit incomplete. So I decided to close the missing gaps.
The fix is pretty simple. Retrieve a new kauth credential with uid and gid equal to 0 and replace the old one (the code seems stable even without process locks). It also seems to work fine without the allproc lock. The backdoor also had a small “bug” that I didn’t noticed due to a coincidence. If you are using iStat Menus then you have a daemon running as root that is collecting info from processes and uses task_for_pid() on them. So the trick of getting the task_for_pid for any process even without permissions worked because of this coincidence (the backdoor failed but iStat daemon called task_for_pid() on the process and so backdoor was activated, duh!). The fix is to do a task_for_pid() on itself. It was one of those things that you don’t feel it’s right but you don’t pay much attention to.

The only catch is that the symbol for kauth_cred_setuidgid() is not exported so it’s manually configured for Snow Leopard 10.6.8. To resolve the kernel symbols is another project.

Have fun,
fG!

rexthewonderdog_v0.2.zip
SHA256(rexthewonderdog_v0.2.zip)= 890faeafef5ff00ac289e6289e14abee2d744b8e6155ac05b0b51eaf3ac4448f

Update:

All previous versions do not work with Lion because proc structures changed (check xnu/bsd/sys/proc_internal.h). Version 0.3 adds support to Lion 10.7.1. Edit the main source file and change the define accordingly.

rexthewonderdog_v0.3.zip
SHA256(rexthewonderdog_v0.3.zip)= c85f5273497430e7328364c52d6d772ccb154c068250fb8a7ef73532b067b713