New OS X 10.10.5 Privilege Escalation Vulnerability Discovered

[MacRumors]

Just days after Apple patched the DYLD_PRINT_TO_FILE security hole with the release of OS X 10.10.5, a developer has found a similar unpatched exploit that could allow attackers to gain root-level access to a Mac.

Luca Todesco shared information (via AppleInsider) on the "tpwn" exploit on GitHub over the weekend. It affects all versions of OS X Yosemite, including OS X 10.10.5, but does not affect OS X El Capitan.

Todesco did not give Apple a heads up on the vulnerability before sharing it publicly, so it is not clear when Apple will release a patch for machines running OS X Yosemite. As noted by AppleInsider, it is standard procedure (and a courtesy) for security researchers and developers to provide Apple with details on vulnerabilities before publicizing them to prevent hackers from using security holes for nefarious purposes.

According to Todesco, who has also shared what he says is a third-party fix, releasing details on the exploit is no different than releasing an iOS jailbreak, but as Engadget explains, Todesco's actions have the potential to be somewhat more harmful than a jailbreak.

Those are technically true, but they downplay the practical dangers of publishing this info. Many people aren't knowledgeable enough to try third-party safeguards or deal with the possible side effects, and jailbreaks are at least intended for semi-innocuous purposes. A 'surprise' exploit for the Mac only really serves to give attackers time that they wouldn't otherwise have.

It took Apple less than a month to release OS X 10.10.5 to fix the DYLD_PRINT_TO_ACCESS vulnerability after it was first publicized, but during the time between its discovery and the launch of the fix, an exploit using the vulnerability was discovered in the wild.

Ahead of a fix for this latest vulnerability, OS X Yosemite users can protect themselves by downloading apps solely from the Mac App Store and from trusted developers.

Article Link: New OS X 10.10.5 Privilege Escalation Vulnerability Discovered

 

[blackwhite999]

Im downloading to update...

 

[jmh600cbr]

Here we go again

 

[Avenged110]

Should I assume this doesn't affect Mavericks?

 

[JonneyGee]

This one doesn't appear to be too worrisome. It's good to hear that El Capitan is already protected against it.

 

[PowerBook-G5]

I read somewhere that he only gave Apple a few hour's notice before releasing it. He's a scumbag. And I have to say that the writer of this article is sort of a scumbag if that screenshot is the code for the vulnerability (If this is true, sorry Juli).

 

[pepan]

I read somewhere that he only gave Apple a few hour's notice before releasing it. He's a scumbag. And I have to say that the writer of this article is sort of a scumbag if that screenshot is the code for the vulnerability (If this is true, sorry Juli).

The screenshot is just a proof that compiling some code and running it works. However, not giving a company any chance to release a fix is something only a complete jerk would do.

 

[AngerDanger]

Never trust a person whose last name is an anagram for "scooted".

 

[alchemistmuffin]

Note that this won't be patched AT ALL until AFTER El Capitan is released most likely.

10.10.5 is the final main update to Yosemite from what I heard via Apple Developer Support. They are soley focused on El Capitan from here on out.

That may change though (because this is Apple under Tim Cook. Anything can happen) Apple might still patch this via supplemental update.

 

[bradl]

I read somewhere that he only gave Apple a few hour's notice before releasing it. He's a scumbag. And I have to say that the writer of this article is sort of a scumbag if that screenshot is the code for the vulnerability (If this is true, sorry Juli).

close.. the screenshot is of the code being compiled by a non-root user and executed by the non-root user, showing how the privileges are escalated to become root.

Doesn't take away the fact that the guy was an idiot for releasing this the way he did.

Funnily enough, @i0n1c has a patch that can be applied to this.

BL.

 

[Avenged110]

...Apple might still patch this via supplemental update.

Realistically, they have no reason not to.

 

[gmanist1000]

Note that this won't be patched AT ALL until AFTER El Capitan is released most likely.

10.10.5 is the final main update to Yosemite from what I heard via Apple Developer Support. They are soley focused on El Capitan from here on out.

That may change though (because this is Apple under Tim Cook. Anything can happen) Apple might still patch this via supplemental update.

They can easily just patch it with a security update, no need for 10.10.6 or anything like that.

 

[bradl]

Realistically, they have no reason not to.

I have to disagree here. This would definitely need to be patched via a supplemental update or a security patch.

This does require someone to have physical access to the Mac, or an account on the Mac (even the guest user will work), plus access to a compiler. With those, then this could be compiled and privileges escalated.

Or worse: someone could compile this, put the compiled binary up for downloading, which then only access to an account on a Mac would be needed (the guest account would work, as it is available if you have Find My Mac enabled). SSH would have to be enabled, as well as knowing the IP address of your Mac, and have the guest account available to SSH. The probability of all of that happening is low, but still possible.

So for those that are worried, you now have the vulnerability, and the attack vector. Now, the impact.

The attacker would be root. They can do anything to your Mac: reformat it, copy off your keychain, any other sensitive data, music, movies, etc. At that this point, they own your Mac.

The worst thing they could do is reboot it. If they are on as the guest user, the account is wiped after the guest user logs out. But for the duration that they are running this, you and the Mac are completely vulnerable.

there may be a patch out for this, but I'm not entirely sure. Up to Apple.

BL.

 

[Crosscreek]

I've been using OS X 10.11 to avoid 10.10.5. I get a weird message for allowing and an app to be accessed by outside server.

Don't get it in El Capitan.

 

[bradl]

I've been using OS X 10.11 to avoid 10.10.5. I get a weird message for allowing and an app to be accessed by outside server.

Don't get it in El Capitan.

Doubt this has anything to do with it. Do you have XCode installed, if only at least to get access to gcc?

BL.

 

[Avenged110]

I have to disagree here. This would definitely need to be patched via a supplemental update or a security patch.
...
there may be a patch out for this, but I'm not entirely sure. Up to Apple.
BL.

I agree, I was saying they don't have any valid reason not to release a patch as a supplemental security update considering they have such a nice system for it.

 

[Robert.Walter]

Kudos to the talent that discovered this vulnerability. Boo to the ******* that released it in an unethical way.

(Yes, I know it is the same talented doofus.)

 

[Robert.Walter]

"Ahead of a fix for this latest vulnerability, OS X Yosemite users can protect themselves by downloading apps solely from the Mac App Store and from trusted developers."

Or just install the El Cap public beta.

 

[Satori]

Front page news, surely?

Seems that it is now a race between Apple and malware writers make use of this information.

 

[bradl]

Front page news, surely?

Seems that it is now a race between Apple and malware writers make use of this information.

Again, this isn't of much use unless the attacker has physical or network access to your Mac. That isn't to say that this isn't any less of a vulnerability than those they've fixed, but this one also isn't something that someone can target a Mac with remotely, and instantly have root access.

tl;dr: a lot of variables have to fall into place at the right time for this to have any major impact to a single machine.

BL.

 

[SnarkyBear]

The screenshot is just a proof that compiling some code and running it works. However, not giving a company any chance to release a fix is something only a complete jerk would do.

Apple has, in the past, punished the bearer of bad news. I wouldn't have done it this way, but I don't fault this guy for not going to Apple first.

http://www.huffingtonpost.com/2011/11/08/apple-charlie-miller-security-flaw_n_1082497.html

 

[Rigby]

The screenshot is just a proof that compiling some code and running it works. However, not giving a company any chance to release a fix is something only a complete jerk would do.

Perhaps he had good reasons for doing this. For example, he might have evidence that the bug is already being exploited. If true, people can immdiately use the third-party fix he pointed to rather than waiting around for Apple to fix it. After all, they sometimes takes their sweet time ...

Also, I think his comparison to jailbreaks is apt. Essentially whenever a jailbreak is released, the jailbreakers publish privilege escalation bugs and a nice demo on how to exploit them.

Finally, one should keep in mind that he could just as well have sold the exploit on the black market for a fat check instead of just publishing it and then getting called "complete jerk" as a reward ...

 

[gijoeinla]

Perhaps he had good reasons for doing this. For example, he might have evidence that the bug is already being exploited. If true, people can immdiately use the third-party fix he pointed to rather than waiting around for Apple to fix it. After all, they sometimes takes their sweet time ...

Also, I think his comparison to jailbreaks is apt. Essentially whenever a jailbreak is released, the jailbreakers publish privilege escalation bugs and a nice demo on how to exploit them.

Finally, one should keep in mind that he could just as well have sold the exploit on the black market for a fat check instead of just publishing it and then getting called "complete jerk" as a reward ...

Suspicious of a "third party fix"... Eerily reminds of someone causing a serious incident -- attracting people to the scene of the crime then detonating a bomb...hence the "third party app" fix..

Just saying that this public release of this info could be a set up.

Yikes - they just got thru saying DONT download anything over the net and here this guy is telling you to do just that.

 

[Rigby]

Suspicious of a "third party fix"... Eerily reminds of someone causing a serious incident -- attracting people to the scene of the crime then detonating a bomb...

Just saying that this public release of this info could be a set up.

Nonsense. The source of the fix is open. You can inspect it yourself (lots of others already have). It's pretty small and easy to understand.

 

[Crosscreek]

Doubt this has anything to do with it. Do you have XCode installed, if only at least to get access to gcc?

BL.

No I don't. Tried to track it down in the console and system log with out any luck. Just says unknown app. It could" get past the firewall without permission.