The bug, originally reported on Tuesday in a blog post written by security engineer Stefan Esser, serves as the exact type of security gap hackers usually exploit to circumvent security protections. Thanks to a clear flaw in the operating system’s code, however, now they don’t have to.
Recently, Microsoft had to issue a fix for bugs in its Windows operating systems that similarly exploited privilege elevations. These were due to an exploit found by Hacking Team, a Milan-based “offensive technology” company employed by governments around the world to deliver malware as a service. Hacking Team was also responsible for the recent exploits that targeted Adobe Flash, whose defenses have been strengthened as a result.
Esser writes that the privilege-escalation bugs found in OS X derive from a new features added in OS X 10.10 designed to log system errors. Developers at Apple, however, neglected to make use of the standard safeguards needed when amending the OS X dynamic linker dyld.
This oversight opens up the opportunity for hackers to initiate or produce files enabling root privileges. Files with such permissions can be dangerous and are able to be stored in any location within the OS X file system.
Additionally, Esser notes that “because the log file is never closed by dyld and the file is not opened with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.”
Users of OS X 10.10.4 Yosemite and the beta version of the next update, 10.10.5, are at risk for the aforementioned vulnerability. The beta version of El Capitan, 10.11, on the other hand, is unburdened.
Esser supplemented his writings with a proof-of-concept exploit code showing how malware developers could elevate privileges without asking end-users for a password. Alternatively, developers of remote exploits whose applications typically carry out malicious code as a regular user rather than as root are also an increased risk.
Nonetheless, it wouldn’t be unusual to see Apple quietly patch this bug out in the coming weeks, as an Apple rep has already mentioned that its engineers are aware of Esser’s blog post.
