Tweet dreams, Apple hackers – a newly revealed critical vulnerability in OS X Yosemite (version 10.10.x) can be exploited in less than 140 characters.
The privilege-escalation vulnerability was found by security researcher Stefan Esser who discovered that a new environment variable, DYLD_PRINT_TO_FILE, was added without the usual safeguards to prevent root access.
“It is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows [it] to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries,” he wrote. “This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the file system. This allows for easy privilege escalation in OS X 10.10.x.”
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s # via reddit: numinit (shorter)— Stefan Esser (@i0n1c) July 22, 2015
Gavin Reid, VP of threat intelligence at Lancope, said, “The data available on this exploit shows it is a very serious local privilege escalation. Simple to use and script into kits like Metasploit but still needing to run from a local account.”
Esser has been criticised for publicising this flaw without notifying Apple first. “Responsible disclosure should have been followed rather than tweeting out the proof of concept before Apple were given the chance to analyse the vulnerability and give a timeline to fix, as this needlessly puts users at risk,” said Gavin Millard, technical director (EMEA) at Tenable Network Security.
Oddly, the flaw has been fixed in the beta versions of OS X 10.11 but remains in the beta of OS X 10.10.5. The fix involved moving the code for DYLD_PRINT_TO_FILE from the _main function of the dynamic linker dyld to the processDyldEnvironmentVariable() function which Esser said might be the result of a code cleanup, not because they realised the security implications. “However, if this is the result of a security fix then Apple has once again shown how unsupported their current versions become the moment a new beta is in development,” he said.
“It does not appear from the post that Stefan [Esser] had previously reported the flaw to Apple, so it is quite likely as he noted that this was a 'code cleanup' effort as opposed to a 'security patch',” said Michael Sutton, CISO at Zscaler. “If so, that would account for why this was addressed only in the latest beta version of OS X. Apple will now have to issue a patch to address the flaw in supported versions of OS X.”
Esser provided details of how to test your system for the vulnerability, which is quite easy from the command line, and proof of concept code. He also offers a fix in the form of a kernel extension that stops all DYLD_ environment variables from being recognised by the dynamic linker for SUID root binaries.
However, Guillaume Ross, senior security consultant strategic services at Rapid7, warned users to wait for the official patch from Apple. “While it is great to see security researchers provide fixes, on top of the information about the vulnerability, we do not recommend that home users of OS X install custom Kernel Extensions (KEXTs), as this can have important security and stability implications,” he said. “These types of system modifications should only be performed by people with a good understanding of the modifications performed on the system.”
Ross elaborated on the nature of the threat: “Privilege escalation/elevation bugs like this are often used as a second step – they come after an attack or malware has taken control of the system to access more information or modify the system further. For this vulnerability to be exploited, something else must be leveraged, such as legitimate access to the computer, malware that is already present or another vulnerability that can be exploited remotely.”
Under the right circumstances, he would rate the threat level as high. “For systems administrators managing OS X servers used by multiple users through SSH or screen-sharing, or for shared OS X computers, such as in a school, this vulnerability should be considered very dangerous, as legitimate users could attempt to use it to elevate privileges and take control of the system, or other users' data,” he said. “It's important to note that the vulnerability is pretty trivial to exercise. Not only is Stefan Esser's write-up very detailed and straightforward, there is a Metasploit module in progress, from community contributor Joe Vennix.”