Researcher unveils new privilege vulnerability in Apple's Mac OS X

The flaw allows attackers to exploit a Mac system for full privilege escalation and take over a machine.

crednopsec.png
NopSec

A researcher has disclosed a privilege escalation vulnerability in OS X which is yet to be fixed in the latest release of the operating system.

German researcher Stefan Esser from security audit firm SektionEins disclosed the vulnerability on Tuesday. The security flaw affects OS X 10.10.x and relates to new features added by the iPad and iPhone maker in the newest evolutions of the OS, Yosemite and El Capitan.

The new features exploitable by the vulnerability are based upon the dynamic linker dyld and environment variable DYLD_PRINT_TO_FILE, which enables error logging to an arbitrary file.

"When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries," Esser explained.

"This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem."

This, in turn, allows for privilege escalation and PC hijacking to take place.

The security researcher has released a full technical brief on the vulnerability, a working proof-of-concept (PoC) exploit -- and a warning that executing the code is a danger to systems as it installs a root shell.

Esser says it is "unclear" whether Apple knows about the security flaw or not, as it has already been patched in the first beta versions of OS X El Capitan 10.11, but not in the current release of OS X 10.10.4 or in the current beta of OS X 10.10.5, which has just been released to public beta testers.

The researcher speculates that the fix may be the result of a code cleanup rather than a security sweep, commenting:

"However, if this is the result of a security fix then Apple has once again shown how unsupported their current versions become the moment a new beta is in development."

Whether or not the tech giant knows about the flaw and is planning to release a patch, SektionEins has released the source code of a kernel extension and a digitally signed version which protects users from this vulnerability under the name SUIDGuard. You can download SUIDGuard from GitHub.

In July, Apple released a security update which patched dozens of security flaws in iOS 8.4 and OS X 10.10.4.

ZDNet has reached out to Apple and will update if we hear back.

Read on: Top picks