Apple fix for Mac Rootpipe backdoor "doesn't work"'

Experts say botched patch leaves tens of millions of Mac OS X devices vulnerable to hijack.

Apple fix for Mac Rootpipe backdoor "doesn't work"'
Apple fix for Mac Rootpipe backdoor "doesn't work"'

Apple's recent patch for the dangerous Rootpipe backdoor flaw affecting millions of Mac OS X devices is itself flawed, according to respected security researcher Patrick Wardle.

Synack R&D director Wardle said in a blog post this weekend that even though Apple tried to close the backdoor in its latest Mac OS X Yosemite version 10.10.3, he could still use Rootpipe to take full admin control over affected Apple Mac devices.

Wardle - who was formerly a network vulnerability analyst at the NSA intelligence agency - revealed: “I found a novel, yet trivial way for any local user to re-abuse Rootpipe, even on a fully patched OS X 10.10.3 system.”

He added: “ In the spirit of responsible disclosure, at this time I won't be providing the technical details of the attack - besides of course to Apple. However, I felt that in the meantime OS X users should be aware of the risk.”

While avoiding giving clues to his attack, Wardle produced a short 29-second video to demonstrate how he took control of the OS X device, which can be viewed here: https://vimeo.com/125345793

Apple confirmed the severity of Rootpipe (CVE-2015-1130) when it issued its intended fix earlier this month. The company said that by using Rootpipe, an attacker can bypass authentication checks “to gain admin privileges” over Mac devices.

Apple claimed that its Security Update 2015-004 solved the problem by improving the “entitlement checking” on devices running OS X Yosemite versions 10.10 to 10.10.2.

At the time, Apple was criticised for only patching these more recent versions of Yosemite, leaving older systems still open to Rootpipe attacks. But now Wardle has shown that many more OS X devices – numbering tens of millions worldwide – remain at risk.

Rootpipe was first discovered by security research Emil Kvarnhammar of TrueSec in October 2014. He too kept details of the vulnerability secret until Apple could release the latest patch, originally scheduled for January.

But Kvarnhammar said the privilege escalation vulnerability allows an hacker to bypass Apple's normal 'sudo' password requirements and gain root access to machines running OS X versions 10.8, 10.9 and 10.10 (Beta 6). This allowed them to take full control of the system.

Kvarnhammar's YouTube video on the attack is available here: https://www.youtube.com/watch?feature=player_embedded&v=fCQg2I_pFDk

Apple is now being urged to act quickly to re-patch against Rootpipe, and to take the chance to protect older OS X devices as well.

Respected UK security blogger and researcher Graham Cluley said: “All eyes now turn to Apple for a response, and if you're concerned about the vulnerability, it would make sense to take care over who you allow to use your computer.

“Let's all hope that Apple will fix the problem once and for all now, and - hey Apple! - how about providing some protection for users of older versions of OS X at the same time, eh?”

Keith Bird, UK MD for security firm Check Point, levelled the same criticism at Apple in an emailed statement to SCMagazineUK.com: “Patches and updates for software and OS vulnerabilities don't always work seamlessly the first time around, so hopefully Apple will address the issue quickly and close the vulnerability.

“But it is curious that there are currently no plans to patch earlier versions of the OS, as it means nearly half of all Apple Macs are still prone to the vulnerability, and many of these cannot easily be updated.”

Bird advised: “At the moment the flaw isn't public so it's assumed the risk is small, but in the meantime  Apple users should avoid allowing third-party logins to their machines.”

In his blog, Wardle said Apple's attempt to patch the vulnerability in OS X 10.10.3 by adding access checks via a new private entitlement called com.apple.private.admin.writeconfig “in theory seemed a reasonable fix”.

SC asked Apple to comment on his claims, but the company had not responded by time of writing.

Wardle's profile on Crunchbase says he holds several classified patents in the areas of cyber-security and cryptography, and has found exploitable zero-day vulnerabilities in major operating systems and client applications.

His work at Synack focuses on automated vulnerability discovery, and emerging OS X and mobile malware threats.