A Sweden white-hat has found a serious security flaw in Apple Yosemite OS X that could be exploited by an attacker to take control of your PC.
The Swedish hacker Emil Kvarnhammar at security firm Truesec discovered a privilege escalation vulnerability in the Yosemite OS X, which allows the attacker gain the root access level on the targeted machine.
Kvarnhammar dubbed the vulnerability “rootpipe, it affects the Yosemite OS X release (version 10.10), which is the last one related by Apple. In time I’m writing the company hasn’t fixed the flaw yet, for this reason Truesec hasn’t disclosed the details for the exploitation of the vulnerability.
“It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Kvarnhammar explained. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.”
The researcher was searching for a vulnerability that would affect the newer versions of Apple OS X.
“I started looking at the admin operations and found a way to create a shell with root privileges,” he says. “It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it.”
The researcher tested to verify the presence of the vulnerability in version 10.8.5 of the Apple OS and it was working, meanwhile it wasn’t working on 10.9.
The expert noticed that the various OS designed by Apple are based on the same architecture apart a few modifications, this circumstance allowed him to exploit the flaw also in the last Yosemite OS X release.
“I was a bit dejected but continued to investigate,” Kvarnhammar said. “There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10.”
When he’s trying to find vulnerabilities in an OS, he said, he tries to get a feel for how the developer was thinking. In this case, Apple had migrated and moved some functions, but basically the same flaws remained.
“Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password. However, rootpipe circumvents this,” said the expert.
He says he reported the vulnerability to Apple the day after he discovered it.
Apple hasn’t confirmed the presence of the flaw officially after the announcement of Truesec, anyway the company agreed to a date when it can publish details of the hole.
“For our part, there was no discussion: we do responsible disclosure,” he said. “But we also wanted to announce that we found a serious flaw; there is a big risk here.”
“In our dialogue with Apple, we agreed on a date for full disclosure. After this date, we can talk about exactly what we found.”
The company will make a full ethical disclosure of the bug in January.
The expert provided a few suggestions to protect Apple Yosemite OS X users from the exploitation of the rootpipe including:
Stay tuned for further information.
Security Affairs – (Apple Yosemite OS X, security)