Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Researcher: OS X 'Rootpipe' attack fix not reliable, attacks possible

Researcher: OS X 'Rootpipe' attack fix not reliable, attacks possible
Thread Tools
NewsPoster
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 19, 2015, 11:00 AM
 
Researchers from security firm Synack have determined that Apple's latest patch for the "Rootpipe" privilege escalation flaw remain mostly unfixed, even on OS X 10.10 "Yosemite." Ex-NSA staff member Patrick Wardle examined the new patch, and found a new path around Apple's security fix, leaving the computer unprotected from hostile users with physical access. In other developments, the malware is loose in the wild and has been for some time, but is a discrete app and still not a remote attack.

The exploit takes advantage of a flaw in the Admin framework, and "was probably to serve the 'System Preferences' app and systemsetup (command-line tool)" but discoverer Emil Kvarnhammar of TrueSec notes that it can be used by any user process. The procedure for the attack, as well as the discovery process, is laid out in a detailed blog post about the matter published earlier this year.

Kvarnhammar calls the exploit "a local privilege escalation to root, which can be used locally or combined with remote code execution exploits." The code still requires authentication to run, and it seems likely that default OS X application sandboxing settings would prevent a malicious app from executing, unless the user is persuaded by social engineering or unless distributed by an authenticated developer, or somehow used through an app on the Mac App Store.

However, if the user has changed the default Mac security settings to allow any code to run, regardless of signing, this is more of an issue. Remote execution through a website is theoretically possible provided the user is tricked into authenticating it, but at first glance the exploit doesn't seem to be accomplished through Flash or Java.

Malware does exist that uses the "Rootpipe" flaw -- FireEye found it in September of 2014. It is not a remote attack, and does require the user to execute an untrusted application to implement the attack, as previously mentioned.

Wardle said in a blog post that the new attack is a "novel, yet trivial way for any local user to re-abuse rootpipe - even on a fully patched OS X 10.10.3 system." He has provided information to Apple about the flaw, but has not as of yet published the technical details of the attack elsewhere.

The original discoverer notes that Apple informed him that the bug will not be fixed in older versions of the operating system because of the massive time investment required. When we spoke to an Apple representative, the claim wasn't denied, but also not confirmed. Apple told MacNN that older OS fixes are "a low priority" since the risks of the exploit can be mitigated by physical security and "sanitary data acquisition procedures."

Code mavens at the "Reverse Engineering Mac OS X" blog refute Apple's claim of extraordinary effort required, and even spells out a fix for Mavericks, belying Apple's claim.


( Last edited by NewsPoster; Apr 19, 2015 at 02:18 PM. )
     
msuper69
Professional Poster
Join Date: Jan 2000
Location: Columbus, OH
Status: Offline
Reply With Quote
Apr 19, 2015, 11:37 AM
 
Requires physical access.
FAIL.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 19, 2015, 02:56 PM
 
Not a fail in every situation, but it does mitigate the risk.

It'll be interesting to see what other outlets pick this up over the next few days and start screaming about how OS X is fundamentally screwed, and not mention the physical access thing.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Apr 19, 2015, 03:13 PM
 
Requires a payload, not physical access. Any app on the appstore can be modified to include code that takes advantage of this flaw.
     
Mike Wuerthele
Managing Editor
Join Date: Jul 2012
Status: Offline
Reply With Quote
Apr 19, 2015, 03:38 PM
 
Originally Posted by just a poster View Post
Requires a payload, not physical access. Any app on the appstore can be modified to include code that takes advantage of this flaw.
Which should break signing, and with it, Gatekeeper should flag on it.

Perhaps I wasn't clear enough on the physical access part. So far, there's no Adware or remote attack involving this flaw. A user has to launch an executable for this to be an issue.
     
DiabloConQueso
Grizzled Veteran
Join Date: Jun 2008
Status: Offline
Reply With Quote
Apr 19, 2015, 04:48 PM
 
I'm always down to set up a honeypot for any tinfoil-hat-types that believe this to be an exploitable security issue that could be leveraged to gain access to the computers of the average home user.

Just say the word and I'll expose a vanilla OS X Yosemite computer to the internet with your choice of services enabled and you can have your way to try and prove whatever point you'd like to prove.

I'm all for patching security holes, big or small, obvious or hidden, blatant or esoteric -- but I'm not in support of fear-mongering that does nothing more than instill paranoia in the average home user and allude to the thought that Apple just doesn't give two craps about security. If it's that dangerous, then here -- here's an "average home user's" Yosemite machine, exposed, public IP, services enabled, and all -- prove it.
     
just a poster
Forum Regular
Join Date: Jun 2004
Status: Offline
Reply With Quote
Apr 19, 2015, 05:40 PM
 
@Mike "unless distributed by an authenticated developer".

There is no reason an authenticated third-party developer (eg one who develops signed apps) should be able to exploit flaws in the admin framework to escalate to root. The suggestion in the reverse engineering macos x post is a pretty good fix by better limiting access to vulnerable parts of the framework to Apple's own signed apps.

I'm of the opinion that modern apps escalate privileges far too much. Other than carefully controlled and signed 3rd-party system utilities, they should be residing/operating in user space, not admin space and that should include limits on access to functions reading from and writing to physical parts like mouse, keyboard, camera, microphone, network, and USB/firewire/thunderbolt and sdxc ports... not just limited to the filesystem.
     
Grendelmon
Senior User
Join Date: Dec 2007
Location: Too F'ing Cold, USA
Status: Offline
Reply With Quote
Apr 20, 2015, 10:49 AM
 
Originally Posted by DiabloConQueso View Post
I'm always down to set up a honeypot for any tinfoil-hat-types that believe this to be an exploitable security issue that could be leveraged to gain access to the computers of the average home user.

Just say the word and I'll expose a vanilla OS X Yosemite computer to the internet with your choice of services enabled and you can have your way to try and prove whatever point you'd like to prove.

I'm all for patching security holes, big or small, obvious or hidden, blatant or esoteric -- but I'm not in support of fear-mongering that does nothing more than instill paranoia in the average home user and allude to the thought that Apple just doesn't give two craps about security. If it's that dangerous, then here -- here's an "average home user's" Yosemite machine, exposed, public IP, services enabled, and all -- prove it.
Sigh.
     
bjojade
Junior Member
Join Date: Jun 2007
Status: Offline
Reply With Quote
Apr 20, 2015, 05:46 PM
 
I'm not sure I fully understand the flaw. So, in order to access this flaw, you have to launch an app, and then enter the admin password? Isn't that how you normally would do things that would modify your system? Is it just that this is taking another route than normal code? One would think that if you can convince a user to enter in the admin password, there's not a thing that can be done to stop them from installing system modifying software.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 05:03 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,