German researcher Stefan Esser, founder of security audit company SektionEins, has discovered a local privilege escalation (LPE) vulnerability in the Mac OS X operating system that affects OS X 10.10.x. Esser decided to take the full disclosure the vulnerability without previously notifying it to Apple, but it seems that the company was already aware of the flaw in the Mac OS X system because it was reported months ago by the a South Korean researcher known as “beist.”
The flaw resides in a feature introduced by Apple to the dynamic linker “dyld” with the release of OS X 10.10, the vulnerability is related to the environment variable DYLD_PRINT_TO_FILE, which enables error logging to arbitrary files.
“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x.” Esser reported in a blog post.
Esser has published technical details of the security flaw describing the way to exploit it to gain full privileges on the target system. The researcher also provided a full Proof of Concept Exploit that gives the executing user a local root shell.
The problem for Mac OS X users is that Apple only fixed the vulnerability in the beta versions of OS X El Capitan 10.11, the fix for another version, including the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11, is expected to be released by October.
Esser has revealed that the local privilege escalation flaw also affects jailbroken iPhones running iOS 8.x.
Apple users can wait for the fix or install SUIDGuard, a kernel extension that adds mitigations to protect SUID/SGID binaries.
(Security Affairs – Bartalex, macro)