TrueSec outlines "Rootpipe" privilege escalation vulnerability in Mac OS X Yosemite
Speaking at the ?redev Developer Conference in Malm?, Sweeden, Emil Kvarnhammar of security firm TrueSec demonstrated a privilege escalation vulnerability affecting OS X 10.8.5 through the newest 10.10 Yosemite.
The Swedish "white-hat hacker" notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January, allowing Apple and its customers time to address the issue before a malicious agent could begin exploiting the flaw TrueSec identified.
Dubbed "Rootpipe," the flaw allows software running under an account with admin privileges to gain root access via the "sudo" command without actually authenticating. Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password. This mechanism could potentially be used by malware to install itself without requiring an admin password, just like Windows.
In a report by Macworld, Kvarnhammar stated that he had been looking for a modern Mac vulnerability to demonstrate at the event, "but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X. I couldn't find anything similar for 10.9 or 10.10."
After "a few days of binary analysis," the researcher identified a flaw affecting Mountain Lion, and after studying changes Apple made in Mavericks and the latest Yosemite, he figured out how to bypass security measures while running within an admin account.
Kvarnhammar noted "there was no discussion: we do responsible disclosure. But we also wanted to announce that we found a serious flaw; there is a big risk here."
If a working exploit is developed before the vendor can patch it (or before the vendor is even aware of the vulnerability), it is called a "Zero-day."
Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies to exploit users before a patch can be created.
Apple's OS X Xprotect system can disable zero-day vulnerable plugin components and quarantine malware before patches can be rolled out. Last year, Apple remotely disabled Java 7 after the U.S. Department of Homeland Security warned of a serious zero-day flaw in the software. Apple also routinely blocks older, insecure versions of Adobe Flash.
Kvarnhammar also recommended using FileVault, Apple's hard drive encryption for Mac users, noting "This is a great way of protecting your data, especially if your computer gets stolen."
In addition to hacking Macs, Kvarnhammar also hacked Samsung Knox running on Android phones. The ?redev Developer Conference runs through the end of this week, an includes sessions ranging from its security track to Apple's Swift programing language and web development.
Details on the #rootpipe exploit will be presented, but not now. Let's just give Apple some time to roll out a patch to affected users.
— Emil Kvarnhammar (@emilkvarnhammar)
The Swedish "white-hat hacker" notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January, allowing Apple and its customers time to address the issue before a malicious agent could begin exploiting the flaw TrueSec identified.
Dubbed "Rootpipe," the flaw allows software running under an account with admin privileges to gain root access via the "sudo" command without actually authenticating. Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password. This mechanism could potentially be used by malware to install itself without requiring an admin password, just like Windows.
In a report by Macworld, Kvarnhammar stated that he had been looking for a modern Mac vulnerability to demonstrate at the event, "but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X. I couldn't find anything similar for 10.9 or 10.10."
After "a few days of binary analysis," the researcher identified a flaw affecting Mountain Lion, and after studying changes Apple made in Mavericks and the latest Yosemite, he figured out how to bypass security measures while running within an admin account.
Kvarnhammar noted "there was no discussion: we do responsible disclosure. But we also wanted to announce that we found a serious flaw; there is a big risk here."
Responsible disclosure vs. dropping a Zero-day
In a security context, "responsible disclosure" generally means that researchers who discover a serious flaw will notify the software vendor with details at least 90 days before publicly disclosing how the flaw actually works and how it can be exploited, allowing time for the issue to be addressed and patches to be distributed to users.Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies
If a working exploit is developed before the vendor can patch it (or before the vendor is even aware of the vulnerability), it is called a "Zero-day."
Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies to exploit users before a patch can be created.
Apple's OS X Xprotect system can disable zero-day vulnerable plugin components and quarantine malware before patches can be rolled out. Last year, Apple remotely disabled Java 7 after the U.S. Department of Homeland Security warned of a serious zero-day flaw in the software. Apple also routinely blocks older, insecure versions of Adobe Flash.
Bypassing the Rootpipe vulnerability
Until the Rootpipe flaw is fixed, Mac users can restrict themselves to working within a non-admin account, which is generally considered to be a good idea anyway. To do this, users create a secondary account with admin privileges, then use that account to remove admin rights from their own account. A user account without admin rights must specifically authenticate with a separate admin account and password in order to perform certain tasks like installing printer drivers or other software with system-level access.Kvarnhammar also recommended using FileVault, Apple's hard drive encryption for Mac users, noting "This is a great way of protecting your data, especially if your computer gets stolen."
Hacking #android #galaxy s4 with #knox demoed by @emilkvarnhammar #oredev #securityconf pic.twitter.com/t1vMLKoGEi
— Andreas Hammar (@andyhammar)
In addition to hacking Macs, Kvarnhammar also hacked Samsung Knox running on Android phones. The ?redev Developer Conference runs through the end of this week, an includes sessions ranging from its security track to Apple's Swift programing language and web development.
Comments
My guess (since the a-hole dropped it without giving apple much notice) is it doesn't work and this is just another BS exploit fabricated by someone wanting their 5 minutes of press.
Time will tell.
My guess (since the a-hole dropped it without giving apple notice) is it doesn't work and this is just another BS exploit fabricated by someone wanting their 5 minutes of press.
/Quote
Did you not read the article?
The Swedish "white-hat hacker" notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January, allowing Apple and its customers time to address the issue before a malicious agent could begin exploiting the flaw TrueSec identified.
"since the a-hole dropped it without giving apple much notice"
I quote from the article:
"The Swedish 'white-hat hacker' notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January"
Until the Rootpipe flaw is fixed, Mac users can restrict themselves to working within a non-admin account, which is generally considered to be a good idea anyway.
I'd say it is more than just 'generally considered to be a good idea'.
How many operate in a non-admin account on their mac?
Everybody on our network except actual 'admins'. No 'general user' has 'admin' privileges. 100+ Macs.
I quote from the article:
"The Swedish 'white-hat hacker' notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January"
Still semi-irresponsible though. You would normally give the vendor much more time to push out a fix, now everybody knows where to look.
If after several months of no action then hint at the issue to put pressure on the vendor to fix, but not after just two weeks.
How many operate in a non-admin account on their mac?
hopefully everybody!
How many operate in a non-admin account on their mac?
Almost none (outside enterprise, where it is common), but the same is true of root, How many end users have root enabled? Virtually zero
I am not sure that you can bypass the authentication to first enable root from shell (using this exploit). You certainly can't su to root. (in the default setup)
Again time will tell exactly what this is, or is not. (i.e. does root need to be enabled for this to work, which would mean it wouldn't affect 99% of users. And of the 1% that did have root enabled 99.9% are high level developers, for which tracking and removing such an executable would be an trivial task)
PPP, I should have added "sufficient" or "much" notice, I was editing to add that when you quoted me (you'll note that t-t quoted 15 seconds after you and got the edit)
I quote from the article:
"The Swedish 'white-hat hacker' notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January"
Yeah I saw it... two weeks is not considered much notice,
I would love to know the particulars, did he say he wasn't going to reveal till January and then gave this little press release? (which unfortunately is almost like a zero day, as it gives criminal hackers huge hints as to the area of the problem and even gives the mechanics of the exploit)
Question is, was this November announcement a surprise to Apple. I'm betting it was.
In any case, two weeks in not sufficient (nor the generally accepted) lead time to reveal a security exploit.
In any case, two weeks in not sufficient (nor the generally accepted) lead time to reveal a security exploit.
He didn't reveal the exploit, he revealed the existence of an exploit.
And to quote the guy himself...
Kvarnhammar said, "The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It's important that they have time to patch, and that the patch is available for some time."
I give this guy a thumbs up for his work and his approach. Based on my reading of this (especially the fact that earlier versions of OS X didn't have the flaw), it probably won't be that hard for Apple to fix it. If Apple reaches out to this guy in early January and says a patch won't be released until Feb 1 then I expect he'll hold off on his big reveal. If he doesn't then he might deserve to be called mean names. Until then, he's done us all a favor by finding a flaw and notifying Apple. I don't have a problem with his taking credit for doing so.
Root is disabled by default, non-issue
According to the original article there is no mention of root being required, just running as Administrator is enough. The default account when installing OSX is an Administrator account.
Once again it looks like we have a flaw that requires the bad guy to be sitting in front of your computer and logged in as an admin to accomplish the hack. So I’m pretty sure the average user doesn’t really have to worry much about with this. Business or educational settings maybe but not individual home users. Should it be patched? Yes. Is it a BIG DEAL? Nope.
I wonder if this is related to something I've noticed about running Apple Remote Desktop as an admin.
I can execute a Unix command with root as the specified user without entering a password for root, or enabling it for that matter.
Has anyone else wondered why this is allowed?
You already have the admin users info and that user can access any local account. He also has the admin users personal data as he is logged in as the admin user.
Average user at home is compromised without a root escalation by then.
Apple sets up the default as admin. So probably very few people.
Apple sets up the default as admin. So probably very few people.
I thought at one time the OSX install process set up the initial, admin account, then suggested/required the setup of a non-admin, regular user account. This is how it should be done, otherwise OSX is setup exactly like Windows, which we all complain about being easy to install software without authentication. It's how I do it but that comes from years of managing government systems.
To configure sudo for a non-admin account, you also need to specifically edit the sudo users file using the admin account. This might be too much for non-technical users but then again, sudo'ing isn't something regular users should be doing.
No doubt Apple will take all of that 90 days of grace to patch this hole and/or figure out another backdoor to intentionally program into OS X. Probably too cynical but maybe not.
Either way I'm interested to know how and why Apple introduced changes to OS X that can result in such a significant (by the sounds of things) vulnerability.