Serious Security Vulnerability - Rootpipe

Discussion in 'OS X Yosemite (10.10)' started by Tucom, Feb 28, 2015.

  1. Tucom macrumors 65816

    Tucom

    Joined:
    Jul 29, 2006
  2. maflynn Moderator

    maflynn

    Staff Member

    Joined:
    May 3, 2009
    Location:
    Boston
    #2
    Its an actual vulnerability if you just google os x rootpipe. All the articles are dated Nov 2014. So two things may be surmised. It was a flash in the pan type of hysteria, i.e., it made major news then people got bored with it because it wasn't that feasible or Apple patched it. I'm inclined to believe the latter, though I failed to see anything on the google about apple addressing it.

    The vulnerability is such that it does not appear to allow people remotely to escalate their privileges, so someone has to be at the desk, so I'd thing in the world of security it may not be the most important but to be honest, I haven't read up on it that much.
     
  3. Tucom thread starter macrumors 65816

    Tucom

    Joined:
    Jul 29, 2006
    #3

    Thanks for the reply. Yeah that's how I came across this article. As for Apple patching it, as I just read on Apple's own forums, we most likely would have heard something about it either from the hacker himself or Apple letting us know that the vulnerability has been patched. So I highly doubt it has been, but I hope I'm wrong.
     
  4. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #4
    Its a real vulnerability but in the real world you need to already have a compromised machine in that you need:

    An admin account AND
    Remote access or local (physical) access.

    If someone already has remote access into an Admin account on your machine then them escalating that access to root is, frankly, the least of your problems.

    This vulnerability cannot escalate a user account to admin, nor can it create a remote access route where none exists.

    So I'd go with the "temporary hysteria" theory...
     
  5. Tucom, Feb 28, 2015
    Last edited: Feb 28, 2015

    Tucom thread starter macrumors 65816

    Tucom

    Joined:
    Jul 29, 2006
    #5
    Problematic still, and should still be patched ASAP by Apple.

    I just wonder how much of an issue it would for a user who would run a regular Admin account and any real world risk associated with that?

    Do you know if it would be advisable to, at least until this gets patched, run a non-Admin account, or is there really no need to worry?

    And you say "remote access route where none exists" - just curious what you mean by that, could you explain further? Unless you mean if no remote access is already established and you happen to run across this Rootpipe vulnerability on your Mac, then there's nothing it can really do? I'm honestly curious about this whole thing, and security of OS's in general.
     
  6. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #6
    Apple will patch it, may have done so, may or may not announce when they have done so.

    The exploit raises the permissions of an existing Admin account on your machine to Root. You can do this any time by command and you won't "run across it" accidentally.

    For a hostile party to exploit it they must compromise an existing Admin account, either by accessing it on your keyboard, or by creating or compromising an existing remote login to an Admin account on your machine.

    So if you don't leave your machine unattended and unsecured, you don't give out your Admin account password, and don't run an unsecured remote access facility then you have little to worry about.

    The point I was making was that if someone has compromised a remote access method onto your machine then they can do enormous damage to YOU without worrying about this exploit, that is only useful if they want to do something with your machine.
     
  7. Tucom thread starter macrumors 65816

    Tucom

    Joined:
    Jul 29, 2006
    #7
    But again, if it were patched already we probably would have heard about it by now from either Apple themselves, or if not Apple, then most likely from the hacker/security tech himself. Again, I hope I'm wrong and I hope that it has been patched already.

    I know there's sudo. Regarding not running across it accidentally, how would you know if your Admin account has been escalated then, like what would make it obvious if you're dealing with this Rootpipe issue or anything else similar with mal intent?

    Is there a way to totally disable any remote login APIs or frameworks or anything relating to it?

    Yeah that's what I figured you meant, but kind of damage? Personal info, keylogs and thus further bank account info etc. stuff like that without "having to worry about this exploit"?
     
  8. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #8
    If it has been escalated then it is already too late depending on what intent the attack had. Remember nothing has been seen in the wild about this, the vulnerability is there but only a permissions escalating exploit, <why> some one would use it and what they would do with the access if they had it is unknown and may vary wildly from attack to attack. It is a bit like losing your front door key to a criminal, what kind of harm might be done depends on the criminal, not on how you lost your key.

    Probably not if you still want remote access to your machine (e.g. via BacktoMyMac or Teamviewer etc). Best IMHO to run Little Snitch and check what is trying to send data to/from your machine and block/allow on that basis.

    See above, depends on what they want to achieve. No examples to date have been seen in real usage. TBH much easier to harvest via phishing email than to use this exploit.
     
  9. Tucom thread starter macrumors 65816

    Tucom

    Joined:
    Jul 29, 2006
    #9
    -

    ----------

    But incase it isn't obvious, is there any way at all to tell if you've been compromised like this?

    Thank you man for all this info, I'm still learning quite a bit about the in depth of OS security, always new things to learn.
     
  10. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #10
    No idea, you are speculating about something that hasn't been seen yet.

    With such an attack the perp could cover their tracks with ease so maybe you wouldn't ever know...
     
  11. Tucom, Mar 3, 2015
    Last edited: Mar 3, 2015

    Tucom thread starter macrumors 65816

    Tucom

    Joined:
    Jul 29, 2006
    #11
    Ok, well given what you mentioned about the prerequisites needed to accomplish such an attack I guess there's really nothing to worry about?

    Also, just curious, if it hasn't been seen yet, how do you know they could cover their tracks "with ease" ?


    May look into shutting ports down as I could care less about remotely interacting with my Macs. One Mac is already non-Admin, but may go ahead and just go Admin, IDK. Do you run your accounts as Admin or non-Admin and why, if you don't mind me asking?
     
  12. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #12
    Because with root access you can pretty much replace or rewrite any log file you choose...

    I run my account as Admin with a strong password as one layer of security, Gatekeeper set to Trusted Developers and I practice safe computing habits...among other things.
     
  13. mgroover macrumors newbie

    Joined:
    Oct 3, 2013
    #13
  14. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #14
  15. mgroover macrumors newbie

    Joined:
    Oct 3, 2013
    #15
    Thanks for the correction :)
     
  16. Zedcars macrumors 6502

    Zedcars

    Joined:
    Apr 5, 2010
    Location:
    Brighton, UK
    #16
    Does anyone know what the real-world chances of being targeted by this vulnerability exploit for an average non-professional user? Is this really that likely?

    I would like to know, in layman's terms, how you can be targeted. Would just logging out as admin and logging in as a standard user be enough to prevent an attack?
     
  17. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #17
    For instance, in a computer lab environment in schools this is a huge problem. It is trivial to get root privileges. Running as a non-admin account doesn't protect you in 10.9-10.10.2 but seems to do so in 10.7-10.8.5.
    On a home computer this is of much less concern.
     
  18. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #18
    Firstly the attacker needs a login opportunity, either by an existing remote access facility or access to the machine. Prevent or control those aspects and there is no possibility of a rootpipe attack. Once in, rootpipe can be used to escalate admin priveledges to root but it cannot escalate standard to admin, or standard to root.

    There are some other limitations on specific versions of OS X as stated.

    Rootpipe can be viewed as a way to seriously compromise a target machine, but only it its security is compromised by access (remote or physical), in the first place.
     
  19. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #19
    It absolutely is possible to get root privileges, even a root shell, from a standard user in 10.9-10.10.2.
     
  20. simonsi macrumors 601

    simonsi

    Joined:
    Jan 3, 2014
    Location:
    Auckland
    #20
    Ok, that wasn't in the last info I had. Good catch and another reason to get to 10.10.3...

    TBH though, once your machine is compromised by access the OS can be wiped so a moot point.
     
  21. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #21
    Your last point is true, but like I said, in an environment such as school labs, where you have lots of authorized non-admin users, and systems that should be rather locked down, this is an especially concerning problem.
     
  22. Zedcars, Apr 16, 2015
    Last edited: Apr 16, 2015

    Zedcars macrumors 6502

    Zedcars

    Joined:
    Apr 5, 2010
    Location:
    Brighton, UK
    #22
    Oh ok, thanks for the info. Steve Gibson covered this very briefly in Security Now but he didn't mention that a standard user in 10.9.0 - 10.10.2 would be vulnerable. In fact that was where I'd got the suggestion that being logged in as standard user would make you safe from this problem.

    I know a few educational institutions that are slow when it comes to updating their Mac OS's and I'd be willing to bet this is common in most institutions the world over. I can think of one in particular who are still on Snow Leopard!
     
  23. sjinsjca macrumors 68000

    sjinsjca

    Joined:
    Oct 30, 2008
    #23
    It would be nice if Apple would patch things going back several generations. But they have pointed out (https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/), "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."

    10.10 Yosemite did introduce a slew of new features and frameworks, including some really low-level stuff (for example in the storage frameworks, in which physical I/O is entirely abstracted now, and in the communications frameworks, which are hugely different and, for example, bring Handoff, AirDrop and SMS capability to the Mac), and the Swift programming environment, and application management (such as automatic, background app updates and 2-factor per-app authentication).

    Apple has another point: Any computer that runs 10.9 or 10.8 or even older can run 10.10, and the upgrade is free (unlike most Windows OS updates) and pretty painless. No app reinstallations or data recovery are needed after the update (though most applications have had their own updates to take advantage of the new ways of doing things and to fix incompatibilities), though the built-in Time Machine backup functionality makes it easy to do so when necessary. There are broad performance improvements as well as security improvements. And by now the various bugs introduced in such a massive update have been addressed. It's a fantastic and thoughtfully-designed OS; something new about it delights me every day.

    The simplest and best path to ensuring a Mac is running the safest code is to upgrade, which IIRC any Mac manufactured in the past five or so years can do for free. But like many here, I'd encourage Apple to back-port security fixes, and I'd personally like to see them go very far back when feasible... though for technical reasons it sometimes won't be. My sleek, 12-year-old PowerMac tower machine still runs like a hose but hasn't seen an update in quite a while. And being based on the old PowerPC chips, it won't. But it sure is a magnificent specimen!
     
  24. Rigby macrumors 601

    Joined:
    Aug 5, 2008
    Location:
    San Jose, CA
    #24
    The vulnerability can be exploited in combination with other attack methods. For example, Adobe just patched a critical vulnerability (CVE-2015-3043) in the Flash plugin for Windows and Mac that was actively being used by black hats to remotely execute code on the victims' machines if they went to a specially prepared web page (this kind of vulnerability is discovered quite frequently in browsers and plugins). That code could use vulnerabilities like Rootpipe to gain elevated access rights and make modifications to your system, e.g. to install a rootkit.
    Using a standard user account for day-to-day activities is always a good idea to make it more difficult for malware to modify critical parts of the system.
     

Share This Page