Mac OS X: It's possible to gain root on any Mac with just a USB thumb drive

in General Discussion edited January 2014
There's an extremely big security flaw in all versions of Mac OS X: all a user needs to do to gain access on any computer, on any edition of the OS up to 10.5.6. Even worse, it's easy for someone to use the exploit: all a potential hacker has to do is to copy one disk image to any flash drive. This extremely dangerous exploit uses the kernel to gain entry, which means it can't be updated until 10.5.7 comes out, if it is updated. Fortunately, there's an easy "patch", which I'll detail later. Here's the readme for the exploit, which shows how easy it is to get this working:


RootIt: How To

Needed: RootIt disk image (Download link later...), flash drive (at least 16mb)

1) Insert your flash drive, open Disk Utility.

2) Click on your flash drive, click the partition tab and partition it with the following settings: 1 partition, any name (it will be changed later),"Mac OS Extended (Journaled)", and MBR (under "Options").

3) From Finder, drag the RootIt disk image into the pane on the left. Select the RootIt disk image in the pane, click the images menu, and click "scan image for restore".

4) Click your flash drive once again, and click the restore tab. For the source, drag the RootIt disk image from the left onto the text field. For the destination, drag the newly created partition on your flash drive -- it should be directly under your flash drive and indented slightly. Check "erase destination", and click restore.

5) Wait till the restore finishes. If the restore succeeded, your flash drive will now be named "RootIt v1.0" and have a gun icon. It's vital that you don't change the name.

6) All you need to do is to plug the flash drive in the computer you want to gain access to, and double click the RootIt icon (the one with the bullets) on your flash drive. The first step can take up to 30 seconds, and then you will see some text scroll by. When you see "bash-3.2#" (your numbers might be different) and a flashing cursor, you have full root access, meaning you can read and write any file on the hard drive. Double check this by typing "whoami" and hitting enter; if you did everything correctly, it should return root.

7) If it doesn't work: double check your install, and your download. Check the error message; it's possible that that exploit has been patched. Works on 10.5.6 and every Leopard release; not tested on 10.4 and 10.3 but it's extremely likely that this works.

It's almost too easy. Here's how to fix it: grab the file from above. Don't worry; it won't do anything bad to your system, as long as you don't run the binary; even then, gaining root access to your own computer isn't a huge security risk. Unzip the download and mount the disk image. In the disk image is a folder called .Vitals; it is hidden, so you'll need to show hidden files or use Finders "Go To Folder" option under the Go menu; just Google it. In the hidden vitals folder is another disk image, named "x.dmg" (without quotes). Copy the disk image and paste it in your /Volumes/ folder. Do NOT mount it. COPY the disk image labeled "x.dmg" and paste it in your /Volumes/ folder. Once you have, right click on it and click "Get Info". Rename this file to just "x", without the ".dmg". You must do this from the "Get Info" pane, otherwise OS X will just hide the extension. Once you're done, fire up Terminal and type "sudo chmod 000 /Volumes/x", without the quotes. Effectively, what the does is make it so nobody can access /Volumes/x, which is where the exploit is hardwired to. If somebody were to try to pull off the exploit on your computer, it would fail.

I urge everyone to do this fix as soon as possible. I myself was alerted to this exploit by someone using it on my own computer systems. Until this is patched in the next update, this is the best way to stop the exploit.

The source code itself has NOT been released; if it had, then any program would be able to gain root access on your computer, allowing malware and viruses to spread. However, at this point, the only form of this exploit is in this form, where an actual human must initiate it and type any commands himself. If the source code is released, it's uncertain whether my patch would work or not. We'll just have to wait and see.

Mac OS X secure? Well, mostly. But sometimes little things slip through the cracks. While a big security exploit in OS X is unusual, they do happen, and the best thing to do is to prepare ahead.

More information:


The fifth, he said, "exploits a local arbitrary kernel memory overwrite in the HFS IOCTL handler. The vulnerability is a little under four years old, and is present in all version of Mac OS X Tiger and Leopard (and Snow Leopard betas), that is, OS X >= 10.4.0. The bug is seemingly caused by a kernel developer placing a piece of code that should only be reachable from within the kernel itself, however, it is possible to reach the offending piece of code with user-supplied arguments, which in turn are used in two calls of bcopy() with the user-supplied argument as the source and destination pointer respectively. This permits a user land process to overwrite an arbitrary kernel memory address with user supplied data and execute arbitrary code with kernel level privileges."



  • Reply 1 of 2
    MarvinMarvin Posts: 14,430moderator
    If such an exploit exists then you just need to make a folder or file in /Volumes with that name but the exploit could easily be customized not to use that volume name.

    No need to download any file to fix it, least of all one that earns the uploader money per download. Can I presume that's why you masked it with a tinyurl?

    I don't know if it's the same as this one or not:
  • Reply 2 of 2
    cifer17cifer17 Posts: 3member
    Yeah, it's not my download, if someone wants to download and reupload it somewhere else, I'll update the link. I just can't do it right now, I'm on my phone.



    If such an exploit exists then you just need to make a folder or file in /Volumes with that name but the exploit could easily be customized not to use that volume name.

    The actual binary is hardwired to use that name, so if someone were to customize the exploit, they would need the source code... which from what I know is unreleased. But yeah, if the source code is released, it could probably be easily customized.
Sign In or Register to comment.