German researcher Stefan Esser, founder of security audit company SektionEins, has discovered a local privilege escalation (LPE) vulnerability in the Mac OS X operating system that affects OS X 10.10.x. Esser decided to take the full disclosure the vulnerability without previously notifying it to Apple, but it seems that the company was already aware of the flaw in the Mac OS X system because it was reported months ago by the a South Korean researcher known as “beist.”
The flaw resides in a feature introduced by Apple to the dynamic linker “dyld” with the release of OS X 10.10, the vulnerability is related to the environment variable DYLD_PRINT_TO_FILE, which enables error logging to arbitrary files.
“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x.” Esser reported in a blog post.
Esser has published technical details of the security flaw describing the way to exploit it to gain full privileges on the target system. The researcher also provided a full Proof of Concept Exploit that gives the executing user a local root shell.
The problem for Mac OS X users is that Apple only fixed the vulnerability in the beta versions of OS X El Capitan 10.11, the fix for another version, including the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11, is expected to be released by October.
Esser has revealed that the local privilege escalation flaw also affects jailbroken iPhones running iOS 8.x.
Apple users can wait for the fix or install SUIDGuard, a kernel extension that adds mitigations to protect SUID/SGID binaries.
(Security Affairs – Bartalex, macro)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.