Photo credit: NopSec
Posted on 07/22/2015 9:11:12 PM PDT by Swordmaker
The flaw allows attackers to exploit a Mac system for full privilege escalation and take over a machine.
(This vulnerability requires physical possession of the computer, and local Administrator access. It cannot be accomplished remotely or by a standard user. — Swordmaker)
A researcher has disclosed a privilege escalation vulnerability in OS X which is yet to be fixed in the latest release of the operating system.
German researcher Stefan Esser from security audit firm SektionEins disclosed the vulnerability on Tuesday. The security flaw affects OS X 10.10.x and relates to new features added by the iPad and iPhone maker in the newest evolutions of the OS, Yosemite and El Capitan.
The new features exploitable by the vulnerability are based upon the dynamic linker dyld and environment variable DYLD_PRINT_TO_FILE, which enables error logging to an arbitrary file.
"When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries," Esser explained.
"This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem."
This, in turn, allows for privilege escalation and PC hijacking to take place.
The security researcher has released a full technical brief on the vulnerability, a working proof-of-concept (PoC) exploit -- and a warning that executing the code is a danger to systems as it installs a root shell.
Esser says it is "unclear" whether Apple knows about the security flaw or not, as it has already been patched in the first beta versions of OS X El Capitan 10.11, but not in the current release of OS X 10.10.4 or in the current beta of OS X 10.10.5, which has just been released to public beta testers.
The researcher speculates that the fix may be the result of a code cleanup rather than a security sweep, commenting:
"However, if this is the result of a security fix then Apple has once again shown how unsupported their current versions become the moment a new beta is in development."
Whether or not the tech giant knows about the flaw and is planning to release a patch, SektionEins has released the source code of a kernel extension and a digitally signed version which protects users from this vulnerability under the name SUIDGuard. You can download SUIDGuard from GitHub.
In July, Apple released a security update which patched dozens of security flaws in iOS 8.4 and OS X 10.10.4.
ZDNet has reached out to Apple and will update if we hear back.
Regardless of what the official pronunciation is, people say OH-ESS-ECKS all of the time. That’s a fact, just as people say Mizzuruh and Fujickle despite different pronunciations promulgated by authoritative sources.
Oh, so THAT’S the “white privilege” that they’ve been talking about ...
You got it. . . but in OS X one of those admin users can be first to create the ROOT user account—it's turned off by default—and give it a user name and password known only to him, at which point, any one trying to use sudo will encounter a requester demanding entry of that ROOT account name and password before it continues to do anything.
That admin who created the account can log in as the Super User and act as God of this computer and the other admins could do nothing to take back control. . . well there are ways, but drastic using the restore process if the Super User hasn't remembered to protect that file as well. This vulnerability gives them a backdoor to mount a mutiny where they can essentially change anything.
I've only run into one Mac where a user created a Super User account, an ex-Windows' user who thought he'd need it for housekeeping tasks, and then promptly forgot his fairly complex password! I had to restore the system to factory to get rid of it. Luckily he had a backup of his data files.
Oh, as I understand it, the Super User can, if he chooses, change the Super User group to allow more than one member, but the default is currently just one.
“”nukyuler,” including a particular past President who shall go W’less. That doesn’t make it correct. “
I remember a president before him that said nu-kee-er. They didn’t make much of it though, after all Jimmy Carter was sposed to be some sort of a nu-kee-er scientist or something.
I thought about mentioning our peanut farmer. . . I never could figger out how a guy like him could become a nu-kee-re scientist or enginyeer guys without a learnin' how to say the word.
So this exploit exists in Yosemite and El Capitan... yet later in the article it says the exploit has been closed in El Capitan betas.... Ummm... ok.
I’m also trying to figure out - IF I am logged in to an administrator account, someone steals my machine - what exactly can they do that isn’t already a danger with a machine logged in as an administrator? Then again OS X Yosemite and El Capitan both require administrator password to make changes to nearly everything...
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.