OS X Yosemite sports serious privilege escalation bug

A Swedish researcher has unearthed a serious bug that affects the newest version of OS X – version 10.10, or Yosemite – and which could allow attackers to gain complete control of the target’s Mac machine.

It’s a privilege escalation bug he dubbed Rootpipe, but declined to explain why, as the explanation could reveal details that would help attackers find it and create an exploit.

The existence of the flaw has been indirectly confirmed by Apple when they asked the researcher to delay publishing details about it until January 2015, after a fix for the bug is released and pushed out to users.

TrueSec researcher Emil Kvarnhammar says he found the flaw while preparing for two security events at which he wanted to demonstrate one. As not many POC for OS X bugs are published and most affect older versions of the OS, he thought he would try to find one himself.

He admits that he was surprised that he found one after only a few days of binary analysis. “I started looking at the admin operations and found a way to create a shell with root privileges,” he told Magnus Aschan.

“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin cant gain root access without entering the correct password. However, Rootpipe circumvents this.”

The flaw is present in OS X versions 10.8, 10.9 and 10.10 (Beta 6), and TrueSec released a demo of the exploit:

Users can protect themselves by setting up a new account without administrative permissions and use that one until a patch for the flaw is released, says Kvarnhammar, and adds that it’s a good idea to for them to use Apple’s FileVault hard drive encryption tool.




Share this