Bug in OS X Yosemite allows attackers to gain root access

Security researcher Stefan Esser has revealed the existence of a privilege escalation vulnerability affecting OS X 10.10 (Yosemite), and has provided a working proof of concept local exploit that installs a root shell on the target machine.

The vulnerability was introduced in Yosemite with some new features.

“One of these features is the new environment variable DYLD_PRINT_TO_FILE that enables error logging to an arbitrary file. When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries,” he explained in a blog post.

“This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem.”

While the vulnerability is present in OS X 10.10.4 and the beta of OS X 10.10.5, it has been fixed in the beta of the upcoming OS X 10.11 (El Capitan).

But Esser is unsure if the bug got fixed as a result of a code cleanup, or if Apple developers found and fixed the flaw on purpose. Apple has yet to offer a comment on this.

For those who use Yosemite and want to plug the hole until Apple gets around to fixing it, Esser developed a kernel extension that implements several mitigations for weaknesses involving SUID/SGID binaries, including this one.

The Register’s Chris Williams also explained how the flaw can be taken advantage of with a trivial exploit.