New privilege escalation exploit discovered in OS X Yosemite, also affects just-released 10.10.5

245

Comments

  • Reply 21 of 92
    mojo66mojo66 Posts: 20member

    I've compiled the source code and can confirm that it leads to a root shell from a non-priviliged account:

     


    ?20:20:15 #46 > id
    uid=502(renatemustermann) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),100(_lpoperator)
    20:20:19 #47 > /tmp/tpwn 
    leaked kaslr slide, @ 0x000000000de00000
    sh-3.2# id
    uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)
  • Reply 22 of 92
    Quote:

    Originally Posted by rob53 View Post

     

    What interests me more is the comment about rootless in 10.11. "Rootless is designed to restrict third-party applications from modifying certain parts of the system -- even if they are running as root -- in a manner similar to the more aggressive sandboxing in iOS." I see this as affecting every single system utility application, many of which aren't available on the App Store because they need to act as root to do their job. 




    I'm running El Capitan Public Beta with rootless enabled and I can run the system utilities I used in Yosemite (caffeine, Paste, Macs Fan Control, BetterTouchTool and even homebrew). Utilities that modify system apps (like TotalFinder) don't work because they inject code in one of the protected system folders — not every system folder is protected though, like /usr/local, and Apple will move third-party folders currently residing in protected system folders to /usr/local. Also, Apple-signed apps are special and can modify system folders. Besides, you can turn rootless off. For more information, read this thread.

  • Reply 23 of 92
    knowitallknowitall Posts: 1,648member
    repmeer wrote: »
    His developer account should be revoked for this.

    He doesn't need a developer account to be able to do this.
  • Reply 24 of 92
    knowitallknowitall Posts: 1,648member
    Is your comment is some kind of defensive shield magic?  For who?  Help me understand why your kind of comment is posted.  It says that criticism of Apple in any form should be considered enemy fire.

    Maybe he is afraid that someone like me posts a comment that "Apple is clearly dropping the ball on this by apparently not having a dedicated team on security and should step up its efforts by assigning a group of hackers to test the (new) software they release"
  • Reply 25 of 92
    boredumbboredumb Posts: 1,418member

    If you tell the public first, aren't you telling the company/author at the same time?

    I can't see why it's a bad thing to tell everyone as soon as possible, 

    unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere

    we all expect in tech...

  • Reply 26 of 92
    bighypebighype Posts: 148member
    Luca Todesco is such an a-hole for not disclosing it to Apple. Hope he gets hacked and everything he owns exposed! What an a-hole!
  • Reply 27 of 92
    rob53rob53 Posts: 3,057member
    Quote:

    Originally Posted by Mojo66 View Post

     

    I've compiled the source code and can confirm that it leads to a root shell from a non-priviliged account:

     


    ?20:20:15 #46 > id
    uid=502(renatemustermann) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),100(_lpoperator)
    20:20:19 #47 > /tmp/tpwn 
    leaked kaslr slide, @ 0x000000000de00000
    sh-3.2# id
    uid=0(root) gid=0(wheel) egid=20(staff) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh)

    Thanks for testing it. Did you have to be root/admin in order to compile it or was it able to escalate your non-admin privileges to root?

     

    Now what can you do with it? How do you get someone to install or compile it on their Mac and run it? (from article "who relies on a combination of attacks"). Any idea what this combination would be? Even though I didn't complete my original sentence, I know what root access gives you but I'd still like to understand how delivery of this package would grant someone root access on someone else's Mac. I'd guess 99% of Mac users set themselves up with admin privileges (instead of creating an admin user then non-admin users for everyday use--Apple needs to fix their setup procedure to get people to not use the first account (admin) for everything) anyway so getting onto their Macs gives them just about everything without needing root privileges.

  • Reply 28 of 92
    Quote:

    Originally Posted by knowitall View Post





    He doesn't need a developer account to be able to do this.

    Maybe not but the topic states that he is a developer. 

  • Reply 29 of 92
    I'm with digitalclips on this one. Not notifying the software author first, and giving them some time to release a patch before public disclosure, is pure asshattery, in my opinion.

    My guess is that since it was going to be patched in El Capitan, he is going for his 15 minutes now. If Apple ignored his find that's one thing, but not even giving them the time to fix it or making them aware of the exploit seems like he is trying to get attention.
  • Reply 30 of 92

    First class prat for not reporting this first to Apple, it's only common sense to give the vendor time to produce a fix before going public With a vulnerability - it's not as though you don't still get the glory for finding the problem in the first place.

     

    It's a bit of an exaggeration to call it a 'zero day exploit' though, it has yet (as far as we know) to be exploited. A proof of principle app from a (supposedly) responsible researcher is not an exploit.

     

    Good advice from rob53 too: don't do your usual work in an Admin account, save that for system maintenance that needs Admin privilege.

  • Reply 31 of 92



    No, this exploit does not require physical access to the computer.  All it requires is for a user to run a script (which may be hidden within an application) that contains the exploit.  If the bad guy tricks me into running his script then my machine is compromised.

  • Reply 32 of 92
    mojo66mojo66 Posts: 20member
    Quote:

    Originally Posted by rob53 View Post

     

    Thanks for testing it. Did you have to be root/admin in order to compile it or was it able to escalate your non-admin privileges to root?

     

    Now what can you do with it? How do you get someone to install or compile it on their Mac and run it? (from article "who relies on a combination of attacks"). Any idea what this combination would be? Even though I didn't complete my original sentence, I know what root access gives you but I'd still like to understand how delivery of this package would grant someone root access on someone else's Mac. I'd guess 99% of Mac users set themselves up with admin privileges (instead of creating an admin user then non-admin users for everyday use--Apple needs to fix their setup procedure to get people to not use the first account (admin) for everything) anyway so getting onto their Macs gives them just about everything without needing root privileges.




    No elevated privileges were required to compile. 

     

    Exploit scenarios are for example malware which seeks to take over full control of the machine in order to scan corporate networks or implant itself into the UEFI.

     

    Whether the infected account is set up as an admin account or not doesn't matter for this kind of exploit. Contrary to Windows, a user account created by the system preferences on a Mac is always non-root . The setting "allow user to administer this computer" just adds the account to /etc/sudoers. To gain root privileges, you still have to enter a password.

  • Reply 33 of 92
    MacProMacPro Posts: 19,505member
    Good thing I never upgraded from Mavericks. /s

    From what I read if you upgrade to El Capitan beta you would be.
  • Reply 34 of 92
    MacProMacPro Posts: 19,505member
    boredumb wrote: »
    If you tell the public first, aren't you telling the company/author at the same time?
    I can't see why it's a bad thing to tell everyone as soon as possible, 
    unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
    we all expect in tech...

    You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..
  • Reply 35 of 92
    dasanman69dasanman69 Posts: 13,002member
    boredumb wrote: »
    If you tell the public first, aren't you telling the company/author at the same time?
    I can't see why it's a bad thing to tell everyone as soon as possible, 
    unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
    we all expect in tech...

    You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..

    Sadly, common sense isn't all that common.
  • Reply 36 of 92
    tenlytenly Posts: 710member
    boredumb wrote: »
    If you tell the public first, aren't you telling the company/author at the same time?
    I can't see why it's a bad thing to tell everyone as soon as possible, 
    unless you think it would spoil the tea and crumpets, gentleman's handshake atmosphere
    we all expect in tech...
    I didn't see a /s anywhere here so I'm going to assume this ridiculous comment is genuine?

    You don't see why it's a bad thing to tell the hacking community about an exploit - and how to use it - before notifying the company that can close the exploit? Are you serious??? It should be obvious to anyone smart enough to turn on a computer what the difference is and why it's a bad thing.

    When someone discovers an exploit, the normal, responsible thing to do is to notify the author (in this case Apple) that you've discovered an exploit - and explain to them that you will be going public with your discovery in 2 weeks? 1 month? 60 days? This puts pressure on the company to do something to mitigate the exploit - so that when its announced, Apple can also announce that they have already created a patch for the problem and everybody is safe and protected. By not giving the author time to analyze the exploit, create a fix or workaround, test the fix and prepare it for distribution - you are giving hackers the ability to use the exploit to compromise, gain access to, or perform many other nefarious actions on a very large number of computers!

    But that's no big deal to you, right? You don't own a Mac or you personally are able to protect your system - so who gives a shit about the millions of normal users out there? Do they deserve to get hacked because they're not as smart as you? If so - that would make you as big an a-hole as Todesco!

    Todesco should be arrested and charged for doing something so irresponsible. I think people who discover an exploit should be required to notify the author/owner of the software at least 30-days before releasing the details of the vulnerability anywhere else - with possible exceptions for endpoint security companies (they could be notified anytime within the 30-day window). Someone like Todesco, who chooses NOT to do that should be held liable (and prosecuted) for anyone that gets hacked using the exploit anytime during those first 30 days.
  • Reply 37 of 92
    Is your comment is some kind of defensive shield magic?  For who?  Help me understand why your kind of comment is posted.  It says that criticism of Apple in any form should be considered enemy fire.

    No it doesn't. It says contrarians take the opposite position for the sole purpose of trolling, regardless of how indefensible or illogical that position may be. I see it in the forums all the time as stubborn intransigence, even after being soundly bested in debate.
  • Reply 38 of 92
    boredumbboredumb Posts: 1,418member
    Quote:

    Originally Posted by dasanman69 View Post

    Originally Posted by digitalclips View Post


    You'd also be telling the black hats. Common sense would dictate it is essential to notify the software developer first, be that Google, Microsoft or Apple etc..


    Sadly, common sense isn't all that common.

    To me, the common sense assumption might seem to be that black hats will be figuring it out and/or

    hearing about it fairly quickly, anyway...it's what they do, after all...but maybe they're preoccupied instead.

  • Reply 39 of 92
    tenlytenly Posts: 710member
    lkrupp wrote: »

    Don’t worry about it. Just keep using common sense when downloading software. Download only from trusted sources and companies like the App Store. Don’t click on anything that promises magical things. If it sounds too good to be true it IS. Like all the other chicken little reports about these things they rarely actually materialize to become a major problem.

    Above all don’t listen to the paranoid crowd’s predictions of the Apocalypse. They show up here every time one of these reports gets out, wringing their hands and running around with their hair on fire. Truth is hackers these days are in it for the money. They like attacking corporations where the ROI is highest. Individual’s machines not so much because the data is of limited value. It’s not like the old days where hackers did their thing for the glory of their reputations. Today hacking is a business model.
    Wow! There are far too many generalizations in this e-mail. Educating yourself about how the exploit works can help you avoid it and protect yourself until a patch is actually released. Telling people to not worry about it and just use common sense is irresponsible. It's good advice in general - but it doesn't mitigate every possible attack vector and is a lot to remember for the vast majority of users who use their devices as a tool or appliance and doesn't know (or care to know) about the inner workings as much as those of us that work and play in the IT world do.

    You say "don't worry about it" and that "these things rarely materialize into a major problem". Well "rarely" does not mean "never" and if someone is concerned enough to ask how to protect themselves, they deserve an answer instead of some patronizing words. If you don't know the answer, then let someone that does handle the reply instead of providing false information to set their minds artificially at ease!

    "The truth is hackers these days are in it for the money" is an even more ridiculous statement! *Most* probably are! But definitely NOT all of them! That kind of statement reminds me of a friend that has a friend in law enforcement - and he went around telling anybody that would listen that the cops are doing a blitz on people that fail to stop at stop signs this month. He took that to mean that the cops would ignore all other offenses and got speeding tickets for himself and for 2 of his friends that were dumb (or trusting) enough to believe him! Your advice that hackers are only in it for the money these days is advice of a similar type. I'm sure there are many out there who are doing it to prove themselves, for glory, for a cause they believe in - or maybe they're just "out to get" a specific individual...

    My advice is to find out how this exploit works - and until a fix is released by Apple - take extra precautions to avoid becoming a victim.

    Most of us will probably not be targeted individually - but if you for some reason did get targeted - what would the hacker have access to that would concern you? If it's a big enough concern for you - consider taking that information "offline" temporarily until this exploit is patched - or add an extra level of encryption to it... And if you do end up getting hacked - and lose something important because of it - considering filing a lawsuit against Todesco for his gross negligence in releasing the how-to for this exploit to the hacking community!
  • Reply 40 of 92
    iaeeniaeen Posts: 588member
    boredumb wrote: »
    To me, the common sense assumption might seem to be that black hats will be figuring it out and/or
    hearing about it fairly quickly, anyway...it's what they do, after all...but maybe they're preoccupied instead.

    They might, but they probably wouldn't have in the time it would take Apple to release a fix.

    On the other hand, thanks to this jackass they now know exactly how it works and have some time to put it to use before Apple can roll out a fix.
Sign In or Register to comment.