A vulnerability has been found in a tool being used to apply fixes to software flaws affecting Apple.
Vulnerability researchers behind the "Month of Apple Bugs" project (MOAB), which aims to publish one flaw per day throughout January in software used on Apple platforms, announced on Monday that they have found a vulnerability in a tool which is used by a group involved in finding fixes for the flaws.
The application, called Application Enhancer (APE), is used by the "Month of Apple Fixes" project (MOAF) to apply run-time patches.
APE is a third-party piece of software, written by Unsanity, designed to "enhance and redefine" the behaviour of applications running on Apple platforms. APE loads plug-ins containing executable code into active applications. MOAF uses APE to apply run-time patches to the flaws found by MOAB. The patches insert themselves into applications when they run, find the vulnerable code, and apply themselves.
On Monday, MOAB published a flaw in APE. The flaw allows local users to gain root privileges in the system, allowing them to compromise machines. This can be achieved by either patching the APE binary or replacing it. According to MOAB, this binary is executed with root privileges. The file is writable, as well as the whole tree under /Library/Frameworks, allowing this vulnerability to be abused for privilege escalation.
A remote hack is also possible, according to Landon Fuller, the open-source developer leading the MOAF project who has been relying on APE for his work. The APE vulnerability could be combined with a remote exploit to gain root privileges from an administrator account without user interaction, Fuller said in his blog. There are also a number of alternative exploit conditions that could occur due to the admin-writability of other directories in /Library.
In its advisory about the APE vulnerability, MOAB said that people should not use Application Enhancer.
"[Application Enhancer is] flawed, and not just by this particular issue," said MOAB.
However, Fuller responded by emphasising that it was only a proof-of-concept flaw, and arguing that it was superfluous to a remote hack. Any APE exploit must be combined with another remote exploit to be effective, and a computer could be compromised by the use of a remote exploit alone.
"The vulnerability is real — it is possible for a local administrator account on the computer to gain root access, without any user confirmation, by replacing pieces of Application Enhancer's installation," said Fuller in his blog. "While this cannot be exploited remotely, it could be used in combination with a remote exploit to acquire escalated privileges. However, a remote exploit alone is sufficient to allow an attacker full access to your important personal data."
Fuller added that a vendor-supplied update is always preferable to a third-party patch. He has devised a short workaround to address the problem, but at the time of writing had not issued or identified a patch.