Author Topic: Apple OS X zero-day flaw hands over root access without system passwords  (Read 3095 times)

Offline javajolt

  • Administrator
  • Hero Member
  • *****
  • Posts: 35126
  • Gender: Male
  • I Do Windows
    • windows10newsinfo.com
A week after the disclosure of a zero-day vulnerability an active exploit has been spotted in the wild.

A zero-day flaw which allows attackers to gain root access to Mac systems is now being exploited online.
Last month, security researcher Stefan Esser disclosed a privilege escalation vulnerability in OS X which impacts OS X 10.10.x by way of the dynamic linker dyld and environment variable DYLD_PRINT_TO_FILE features, newly added to the operating system.

It was unclear at the time whether Apple knew about the security flaw as the problem has been patched in the first beta versions of OS X El Capitan 10.11, but not in the current release of OS X 10.10.4 or in the current beta of OS X 10.10.5. While Esser did not inform Apple of the bug at the time of public disclosure, it is believed the iPad and iPhone maker may have known about the vulnerability through an earlier disclosure by another researcher.

Unfortunately, it seems the zero-day vulnerability is already being exploited in OS X.

Malwarebytes researcher Adam Thomas spotted the exploit after stumbling upon a new adware installer. During testing on an OS X machine, Thomas realized his sudoers file had been modified. The sudoers file is a hidden Unix file which decides who is permitted root permissions in a Unix shell, and how this is granted.

In this case, the vulnerability allowed the adware installer to gain root permissions via a Unix shell without requiring password permissions from an administrator.

The exploiting script which uses the DYLD_PRINT_TO_FILE vulnerability is written to a file, executed and then deleted. The script changes the nature of the sudoers file to allow shell commands to be executed as root without passwords before launching the VSInstaller app.

Granted full root permissions, the app -- found in a hidden directory on the adware installer's disk image -- is then able to download whatever it pleases.

source:zdnet