A flaw in the latest version of Apple’s operating system, OS X, gives hackers the ability to obtain full root user privileges, a tactic that could gain an attacker the ability to install malware or rootkits on machines running the latest version of OS X.
Security researcher Stefan Esser disclosed the privilege-escalation flaw Tuesday, stating the bug is the type security vulnerability attackers regularly exploit to bypass security measures implemented in many modern operating systems and applications.
According to Esser, the OS X privilege-escalation flaw originates from a new error-logging feature that Apple added to their OS X 10.10. During development, Apple didn’t implement standard safeguards involving new additions to the OS X dynamic linker dyld, spawning a flaw that allows attackers to create or open files with root privileges anywhere on the OS X filesystem.
“This is obviously a problem, because it allows the creation or opening (for writing) of any file in the filesystem,” Esser explained. “And because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.”
Esser warned that the vulnerability is present in both Apple’s latest 10.10.4 Yosemite version and the current beta version of 10.10.5. However, Apple’s latest beta version 10.11 is rid of the flaw, an indication that Apple developers may have be aware of the security hiccup and are working to fix the vulnerability. The company will likely sneak a patch for the flaw in the coming weeks of the long awaited OS X updates.
Esser included a proof-of-concept attack in his blog post, pointing out that its known as a local exploit, as it requires access to the vulnerable system prior to the exploit.
Now how might an attacker abuse Esser’s latest OS X root privileges vulnerability? A common scenario where these type of flaws are exploited is mainly by developers of malicious applications, whose sole goal it to elevate privileges without prompting the end user for a system password. Developers could also abuse a remote exploit to gain access to the system by acting as the regular user to unlock root access.
“Local exploits are considered less dangerous than remote exploits,” said Pedro Vilaca, a well-known OS X security researcher. “Still, they can be extremely useful in many scenarios. Local exploits in OS X are by the dozen. It seems everyone has a few.”