Active OS X 10.10 zero-day exploit installs malware without need for system passwords

Posted:
in macOS edited August 2015
A week after researchers discovered a new privilege escalation zero-day vulnerability in Apple's latest version of OS X 10.10.4, an exploit has appeared allowing nefarious hackers to install adware and malware onto a target Mac without requiring system passwords.




Discovered by Malwarebytes, the malware installer takes advantage of new error logging features introduced in the latest version of OS X, reports Ars Technica. Specifically, the installer gains root level permissions by modifying a Mac's sudoers configuration file, leaving it open to install adware like VSearch, Genieo package variations and MacKeeper.

From Malwarebytes:
As can be seen from the code snippet shown here, the script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it's finished.

The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.

Then the script uses sudo's new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer's disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware.)
Ars Technica first reported on the bug uncovered by researcher Stefan Esser last week, saying developers failed to use standard security protocols OS X dynamic linker dyld. Esser said the vulnerability is present in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11.

News of the exploit comes after researchers published a proof-of-concept firmware worm affecting both Mac and PC hardware. Called Thunderstrike 2, the attack targets option ROM on peripherals like Ethernet adapters and SSDs, meaning it spreads simply by connecting an infected device to a Mac.
«13

Comments

  • Reply 1 of 47
    9secondko9secondko Posts: 929member
    Well... Here hoping Tim pushes his gay agenda to the back burner and gets back to doing what Apple is around to do... Make great computers.

    Less time pushing a pet Immoral agenda and more time fixing stuff.
  • Reply 2 of 47
    sirlance99sirlance99 Posts: 1,293member
    9secondko wrote: »
    Well... Here hoping Tim pushes his gay agenda to the back burner and gets back to doing what Apple is around to do... Make great computers.

    Less time pushing a pet Immoral agenda and more time fixing stuff.

    Get out of here with that crap. There's nothing at all wrong with what he is doing.
  • Reply 3 of 47
    9secondko wrote: »
    Well... Here hoping Tim pushes his gay agenda to the back burner and gets back to doing what Apple is around to do... Make great computers.

    Less time pushing a pet Immoral agenda and more time fixing stuff.
    1. There are things that Tim Cook can be criticized for relative to his job performance... being gay is not one of them.

    2. Tim Cook does not personally fix security bugs... that's the engineers' job.

    In short, stupid comment.
  • Reply 4 of 47
    @9secondko....Well... Here hoping Tim pushes his gay agenda to the back burner and gets back to doing what Apple is around to do... Make great computers. Less time pushing a pet Immoral agenda and more time fixing stuff.

    >> What moron. Like Tim is down in the basement writing the code to fix the exploit.
  • Reply 5 of 47
    phone-ui-guyphone-ui-guy Posts: 1,019member
    It sounds like my sudo change to require a password every time may help block part of this.
  • Reply 6 of 47
    freediverxfreediverx Posts: 1,423member
    [QUOTE]9secondko:
    Well... Here hoping Tim pushes his gay agenda to the back burner and gets back to doing what Apple is around to do... Make great computers. Less time pushing a pet Immoral agenda and more time fixing stuff.[/QUOTE]

    We all realize it must be frustrating for you to deal with your repressed homosexual desires, but please seek help for your chosen superstition elsewhere.
  • Reply 7 of 47
    redefilerredefiler Posts: 323member
    It sounds like my sudo change to require a password every time may help block part of this.

    Interesting. How and why did you make this change before? I'm sure Apple will stomp on this bug sooner or later, but would be great if it's a viable method for helping protect older OS X based users.
  • Reply 8 of 47
    konqerrorkonqerror Posts: 685member
    Quote:

    Originally Posted by Phone-UI-Guy View Post



    It sounds like my sudo change to require a password every time may help block part of this.

     

    Nope. The sudoers man page says

    Quote:


     When multiple entries match for a user, they are applied in order. Where there are multiple matches, the last match is used (which is not necessarily the most specific match).


     

    The code in the screenshot appends the sudo bypass to the end, so your fix makes no difference.

  • Reply 9 of 47
    lkrupplkrupp Posts: 10,557member

    I don’t know any nefarious hackers, only normal hackers, so I’m safe. No need to hide under my bed and bite my nails in fear. 

  • Reply 10 of 47
    [CODE]$ echo 'echo bar >&3' | DYLD_PRINT_TO_FILE=/System/foo newgrp
    $ ls /System/
    Library foo
    $ more /System/foo
    bar[/CODE]

    Yup, it lets you write pretty much anything to any protected location on the system. That's... not good.
  • Reply 11 of 47
    cash907cash907 Posts: 893member
    So, when it's an android or windows weakness, it's the fault of the software developers, but when it's a weakness in iOS or OS X, ooooo it's those dirty "nefarious" hackers.

    The blame shuffling going on here is impressive.
  • Reply 12 of 47
    mystigomystigo Posts: 183member

    This is as bad as it gets. This is not some garbage "attacker has to sneak over to your machine while you are on break and you left the machine with a root shell running" kind of attack. I verified the hack as well. It is very real and extraordinarily dangerous. Let's see how fast Apple can react in a real emergency.

  • Reply 13 of 47
    According the the article ....

    Esser said the vulnerability is present in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11.

    So it's already been fixed ... Doh!
  • Reply 14 of 47
    MacProMacPro Posts: 19,712member
    steverance wrote: »
    According the the article ....

    Esser said the vulnerability is present in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11.

    So it's already been fixed ... Doh!

    Exactly.
  • Reply 15 of 47
    solipsismysolipsismy Posts: 5,099member
    steverance wrote: »
    According the the article ....

    Esser said the vulnerability is present in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11.

    So it's already been fixed ... Doh!

    If your firmware was infected before installing El Cap will it still be vulnerable after the upgrade?
  • Reply 16 of 47
    MacProMacPro Posts: 19,712member
    $ echo 'echo bar >&3' | DYLD_PRINT_TO_FILE=/System/foo newgrp
    $ ls /System/
    Library	foo
    $ more /System/foo
    bar
    

    Yup, it lets you write pretty much anything to any protected location on the system. That's... not good.

    10.11 will be out soon or at least the patch in it for existing 10.10 I'm sure.
  • Reply 17 of 47
    steverance wrote: »
    According the the article ....

    Esser said the vulnerability is present in Apple's current OS X 10.10.4 and recent beta versions of OS X 10.10.5, but not early builds of OS X 10.11.

    So it's already been fixed ... Doh!
    My guess would be that the Rootless feature in 10.11 would probably prevent this from writing to /etc/sudoers, but I haven't had time to test it yet.
  • Reply 18 of 47
    cashxxcashxx Posts: 114member
    Quote:

    Originally Posted by Mystigo View Post

     

    This is as bad as it gets. This is not some garbage "attacker has to sneak over to your machine while you are on break and you left the machine with a root shell running" kind of attack. I verified the hack as well. It is very real and extraordinarily dangerous. Let's see how fast Apple can react in a real emergency.




    I would say it gets fixed in 10.10.5.  Its still early in beta.

  • Reply 19 of 47
    cashxxcashxx Posts: 114member
    Quote:

    Originally Posted by Durandal1707 View Post





    My guess would be that the Rootless feature in 10.11 would probably prevent this from writing to /etc/sudoers, but I haven't had time to test it yet.



    I don't think rootless protects /etc.  In early builds I think I could still write to it with rootless enabled.

  • Reply 20 of 47
    Quote:

    Originally Posted by SolipsismY View Post





    If your firmware was infected before installing El Cap will it still be vulnerable after the upgrade?

     

    Hi SolipsismY, the very last paragraph of this article relates to a firmware worm that is unrelated to the permissions escalation problem in the rest of this article. You might find you get more help by clicking into the Thunderstrike 2 article and asking there. 

Sign In or Register to comment.