TrueSec outlines "Rootpipe" privilege escalation vulnerability in Mac OS X Yosemite

Posted:
in macOS edited November 2014
Speaking at the ?redev Developer Conference in Malm?, Sweeden, Emil Kvarnhammar of security firm TrueSec demonstrated a privilege escalation vulnerability affecting OS X 10.8.5 through the newest 10.10 Yosemite.

Details on the #rootpipe exploit will be presented, but not now. Let's just give Apple some time to roll out a patch to affected users.

— Emil Kvarnhammar (@emilkvarnhammar)


The Swedish "white-hat hacker" notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January, allowing Apple and its customers time to address the issue before a malicious agent could begin exploiting the flaw TrueSec identified.

Dubbed "Rootpipe," the flaw allows software running under an account with admin privileges to gain root access via the "sudo" command without actually authenticating. Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password. This mechanism could potentially be used by malware to install itself without requiring an admin password, just like Windows.

In a report by Macworld, Kvarnhammar stated that he had been looking for a modern Mac vulnerability to demonstrate at the event, "but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X. I couldn't find anything similar for 10.9 or 10.10."

After "a few days of binary analysis," the researcher identified a flaw affecting Mountain Lion, and after studying changes Apple made in Mavericks and the latest Yosemite, he figured out how to bypass security measures while running within an admin account.

Kvarnhammar noted "there was no discussion: we do responsible disclosure. But we also wanted to announce that we found a serious flaw; there is a big risk here."

Responsible disclosure vs. dropping a Zero-day

In a security context, "responsible disclosure" generally means that researchers who discover a serious flaw will notify the software vendor with details at least 90 days before publicly disclosing how the flaw actually works and how it can be exploited, allowing time for the issue to be addressed and patches to be distributed to users. Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies

If a working exploit is developed before the vendor can patch it (or before the vendor is even aware of the vulnerability), it is called a "Zero-day."

Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies to exploit users before a patch can be created.

Apple's OS X Xprotect system can disable zero-day vulnerable plugin components and quarantine malware before patches can be rolled out. Last year, Apple remotely disabled Java 7 after the U.S. Department of Homeland Security warned of a serious zero-day flaw in the software. Apple also routinely blocks older, insecure versions of Adobe Flash.

Bypassing the Rootpipe vulnerability

Until the Rootpipe flaw is fixed, Mac users can restrict themselves to working within a non-admin account, which is generally considered to be a good idea anyway. To do this, users create a secondary account with admin privileges, then use that account to remove admin rights from their own account. A user account without admin rights must specifically authenticate with a separate admin account and password in order to perform certain tasks like installing printer drivers or other software with system-level access.

Kvarnhammar also recommended using FileVault, Apple's hard drive encryption for Mac users, noting "This is a great way of protecting your data, especially if your computer gets stolen."



In addition to hacking Macs, Kvarnhammar also hacked Samsung Knox running on Android phones. The ?redev Developer Conference runs through the end of this week, an includes sessions ranging from its security track to Apple's Swift programing language and web development.
«13

Comments

  • Reply 1 of 46
    indyfxindyfx Posts: 321member
    Its' not clear from the report if the user needs to have root enabled (root is disabled by default) for this to work.

    My guess (since the a-hole dropped it without giving apple much notice) is it doesn't work and this is just another BS exploit fabricated by someone wanting their 5 minutes of press.

    Time will tell.
  • Reply 2 of 46
    Quote:
    My guess (since the a-hole dropped it without giving apple notice) is it doesn't work and this is just another BS exploit fabricated by someone wanting their 5 minutes of press.
    /Quote

    Did you not read the article?

    The Swedish "white-hat hacker" notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January, allowing Apple and its customers time to address the issue before a malicious agent could begin exploiting the flaw TrueSec identified.
  • Reply 3 of 46
    Quote:
    Originally Posted by IndyFX View Post



    "since the a-hole dropped it without giving apple much notice"

     

    I quote from the article:

     

    "The Swedish 'white-hat hacker' notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January"

  • Reply 4 of 46
    aplnubaplnub Posts: 2,605member
    How many operate in a non-admin account on their mac?
  • Reply 5 of 46
    Quote:

    Originally Posted by AppleInsider View Post



    Until the Rootpipe flaw is fixed, Mac users can restrict themselves to working within a non-admin account, which is generally considered to be a good idea anyway.

    I'd say it is more than just 'generally considered to be a good idea'.

  • Reply 6 of 46
    Quote:
    Originally Posted by aplnub View Post



    How many operate in a non-admin account on their mac?

    Everybody on our network except actual 'admins'.  No 'general user' has 'admin' privileges.  100+ Macs.

  • Reply 7 of 46
    Quote:

    Originally Posted by tumme-totte View Post

     

     

    I quote from the article:

     

    "The Swedish 'white-hat hacker' notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January"


    Still semi-irresponsible though. You would normally give the vendor much more time to push out a fix, now everybody knows where to look.

     

    If after several months of no action then hint at the issue to put pressure on the vendor to fix, but not after just two weeks.

  • Reply 8 of 46
    Quote:

    Originally Posted by aplnub View Post



    How many operate in a non-admin account on their mac?

    hopefully everybody!

  • Reply 9 of 46
    indyfxindyfx Posts: 321member
    Quote:
    Originally Posted by aplnub View Post



    How many operate in a non-admin account on their mac?



    Almost none (outside enterprise, where it is common), but the same is true of root, How many end users have root enabled? Virtually zero

    I am not sure that you can bypass the authentication to first enable root from shell (using this exploit). You certainly can't su to root. (in the default setup)

    Again time will tell exactly what this is, or is not. (i.e. does root need to be enabled for this to work, which would mean it wouldn't affect 99% of users. And of the 1% that did have root enabled 99.9% are high level developers, for which tracking and removing such an executable would be an trivial task)

     

    PPP, I should have added "sufficient" or "much" notice, I was editing to add that when you quoted me (you'll note that t-t quoted 15 seconds after you and got the edit)

  • Reply 10 of 46
    indyfxindyfx Posts: 321member
    Quote:

    Originally Posted by tumme-totte View Post

     

     

    I quote from the article:

     

    "The Swedish 'white-hat hacker' notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January"




    Yeah I saw it... two weeks is not considered much notice,

    I would love to know the particulars, did he say he wasn't going to reveal till January and then gave this little press release? (which unfortunately is almost like a zero day, as it gives criminal hackers huge hints as to the area of the problem and even gives the mechanics of the exploit)

    Question is, was this November announcement a surprise to Apple. I'm betting it was.

     

    In any case, two weeks in not sufficient (nor the generally accepted) lead time to reveal a security exploit.

  • Reply 11 of 46
    Quote:
    Originally Posted by IndyFX View Post

     

     

     

    In any case, two weeks in not sufficient (nor the generally accepted) lead time to reveal a security exploit.


    He didn't reveal the exploit, he revealed the existence of an exploit.

     

    And to quote the guy himself...

    Kvarnhammar said, "The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It's important that they have time to patch, and that the patch is available for some time."

  • Reply 12 of 46
    Root is disabled by default, non-issue
  • Reply 13 of 46
    malaxmalax Posts: 1,598member

    I give this guy a thumbs up for his work and his approach.  Based on my reading of this (especially the fact that earlier versions of OS X didn't have the flaw), it probably won't be that hard for Apple to fix it.  If Apple reaches out to this guy in early January and says a patch won't be released until Feb 1 then I expect he'll hold off on his big reveal.  If he doesn't then he might deserve to be called mean names.  Until then, he's done us all a favor by finding a flaw and notifying Apple.  I don't have a problem with his taking credit for doing so.

  • Reply 14 of 46
    Quote:

    Originally Posted by Jack Zahran View Post



    Root is disabled by default, non-issue

    According to the original article there is no mention of root being required, just running as Administrator is enough. The default account when installing OSX is an Administrator account.

  • Reply 15 of 46
    lkrupplkrupp Posts: 10,557member

    Once again it looks like we have a flaw that requires the bad guy to be sitting in front of your computer and logged in as an admin to accomplish the hack. So I’m pretty sure the average user doesn’t really have to worry much about with this. Business or educational settings maybe but not individual home users. Should it be patched? Yes. Is it a BIG DEAL? Nope.

  • Reply 16 of 46

    I wonder if this is related to something I've noticed about running Apple Remote Desktop as an admin.

     

    I can execute a Unix command with root as the specified user without entering a password for root, or enabling it for that matter.

     

    Has anyone else wondered why this is allowed?

  • Reply 17 of 46
    asdasdasdasd Posts: 5,686member
    The whole escalating to root is overdone anyways. Since it can only be done on an admin account and only with root turned on by the admin user previously and from a logged in session in Terminal you don't gain much except access to some system folders not normally accessible.

    You already have the admin users info and that user can access any local account. He also has the admin users personal data as he is logged in as the admin user.

    Average user at home is compromised without a root escalation by then.
  • Reply 18 of 46
    asdasdasdasd Posts: 5,686member
    scartart wrote: »
    hopefully everybody!

    Apple sets up the default as admin. So probably very few people.
  • Reply 19 of 46
    rob53rob53 Posts: 3,311member
    Quote:
    Originally Posted by asdasd View Post





    Apple sets up the default as admin. So probably very few people.

    I thought at one time the OSX install process set up the initial, admin account, then suggested/required the setup of a non-admin, regular user account. This is how it should be done, otherwise OSX is setup exactly like Windows, which we all complain about being easy to install software without authentication. It's how I do it but that comes from years of managing government systems.

     

    To configure sudo for a non-admin account, you also need to specifically edit the sudo users file using the admin account. This might be too much for non-technical users but then again, sudo'ing isn't something regular users should be doing.

  • Reply 20 of 46

    No doubt Apple will take all of that 90 days of grace to patch this hole and/or figure out another backdoor to intentionally program into OS X.  Probably too cynical but maybe not.

     

    Either way I'm interested to know how and why Apple introduced changes to OS X that can result in such a significant (by the sounds of things) vulnerability.

Sign In or Register to comment.