OS X 10.10 hit by privilege escalation vulnerability

July 23, 2015 // 11:24 a.m.

Tags: #el-capitan #exploit #insecurity #os-x #os-x-1010 #os-x-1011 #security #vulnerability #yosemite

Companies: #apple

Security researchers have uncovered a serious vulnerability in Apple's OS X 10.10 Yosemite operating system, allowing unprivileged users to exploit an error logging system to gain administrative privileges.

Introduced in OS X 10.10 to make developers' lives easier, the environment variable DYLD_PRINT_TO_FILE was designed to give the dyld dynamic linking tool the ability to log error messages to any arbitrary file for later review, rather than the standard error output (stderr). Unfortunately, there's a rather serious flaw in the way it operates: improperly used, the environment variable allows dyld to write to any arbitrary file on the system - including files unprivileged users should not be able to touch, such as the password file.

According to a write-up of the flaw by security researcher Stefan Esser, exploitation of the flaw is trivial: a test can be carried out by running the one-line command 'EDITOR=/usr/bin/true DYLD_PRINT_TO_FILE=/this_system_is_vulnerable crontab -e', which creates a file in the core directory of the system with root permissions, regardless of the permissions of the user who ran the command. More seriously, demonstrated exploits for the vulnerability include removing password permissions from arbitrary root-level user accounts and overwriting any binary on the system with malicious code.

Apple has yet to respond to the report, which has shown the vulnerability to work on even the latest OS X 10.10 Beta 5 but to not be present on OS X 10.11 Beta 1 or Beta 2. 'Because it will likely take months for Apple to react to this issue we released a kernel extension that protects from this vulnerability by stopping all DYLD_ environment variables form being recognized by the dynamic linker for SUID root binaries,' Esser wrote. 'In addition to that it adds a mitigation against a common trick to circumvent O_APPEND restrictions on file descriptors.'

Esser's SUIDGuard tool can be found on its GitHub repository.
Discuss this in the forums


Week in review