Researcher discloses Local Privilege Escalation Flaw in Apple Mac OS X

Researchers have discovered a critical local privilege escalation (LPE) vulnerability in the Mac OS X operating system, but Apple will fix only by October.

German researcher Stefan Esser, founder of security audit company SektionEins, has discovered a local privilege escalation (LPE) vulnerability in the Mac OS X operating system that affects OS X 10.10.x. Esser decided to take the full disclosure the vulnerability without previously notifying it to Apple, but it seems that the company was already aware of the flaw in the Mac OS X system because it was reported months ago by the a South Korean researcher known as “beist.”

The flaw resides in a feature introduced by Apple to the dynamic linker “dyld” with the release of OS X 10.10, the vulnerability is related to the environment variable DYLD_PRINT_TO_FILE, which enables error logging to arbitrary files.

“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x.” Esser reported in a blog post.

Esser has published technical details of the security flaw describing the way to exploit it to gain full privileges on the target system. The researcher also provided a full Proof of Concept Exploit that gives the executing user a local root shell.

The problem for Mac OS X users is that Apple only fixed the vulnerability in the beta versions of OS X El Capitan 10.11, the fix for another version, including the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11, is expected to be released by October.

Esser has revealed that the local privilege escalation flaw also affects jailbroken iPhones running iOS 8.x.

Apple users can wait for the fix or install SUIDGuard, a kernel extension that adds mitigations to protect SUID/SGID binaries.

Pierluigi Paganini

(Security Affairs – Bartalex, macro)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.