New OS X 10.10.5 Privilege Escalation Vulnerability Discovered

Just days after Apple patched the DYLD_PRINT_TO_FILE security hole with the release of OS X 10.10.5, a developer has found a similar unpatched exploit that could allow attackers to gain root-level access to a Mac.

Luca Todesco shared information (via AppleInsider) on the "tpwn" exploit on GitHub over the weekend. It affects all versions of OS X Yosemite, including OS X 10.10.5, but does not affect OS X El Capitan.

tpwnvulnerability

Todesco did not give Apple a heads up on the vulnerability before sharing it publicly, so it is not clear when Apple will release a patch for machines running OS X Yosemite. As noted by AppleInsider, it is standard procedure (and a courtesy) for security researchers and developers to provide Apple with details on vulnerabilities before publicizing them to prevent hackers from using security holes for nefarious purposes.

According to Todesco, who has also shared what he says is a third-party fix, releasing details on the exploit is no different than releasing an iOS jailbreak, but as Engadget explains, Todesco's actions have the potential to be somewhat more harmful than a jailbreak.

Those are technically true, but they downplay the practical dangers of publishing this info. Many people aren't knowledgeable enough to try third-party safeguards or deal with the possible side effects, and jailbreaks are at least intended for semi-innocuous purposes. A 'surprise' exploit for the Mac only really serves to give attackers time that they wouldn't otherwise have.

It took Apple less than a month to release OS X 10.10.5 to fix the DYLD_PRINT_TO_ACCESS vulnerability after it was first publicized, but during the time between its discovery and the launch of the fix, an exploit using the vulnerability was discovered in the wild.

Ahead of a fix for this latest vulnerability, OS X Yosemite users can protect themselves by downloading apps solely from the Mac App Store and from trusted developers.

Top Rated Comments

(View all)

pepan

58 months ago

I read somewhere that he only gave Apple a few hour's notice before releasing it. He's a scumbag. And I have to say that the writer of this article is sort of a scumbag if that screenshot is the code for the vulnerability (If this is true, sorry Juli).

The screenshot is just a proof that compiling some code and running it works. However, not giving a company any chance to release a fix is something only a complete jerk would do.

Rating: 10 Votes

Rigby

58 months ago

The screenshot is just a proof that compiling some code and running it works. However, not giving a company any chance to release a fix is something only a complete jerk would do.

Perhaps he had good reasons for doing this. For example, he might have evidence that the bug is already being exploited. If true, people can immdiately use the third-party fix he pointed to rather than waiting around for Apple to fix it. After all, they sometimes takes their sweet time ('http://krebsonsecurity.com/2011/11/apple-took-3-years-to-fix-finfisher-trojan-hole/') ...

Also, I think his comparison to jailbreaks is apt. Essentially whenever a jailbreak is released, the jailbreakers publish privilege escalation bugs and a nice demo on how to exploit them.

Finally, one should keep in mind that he could just as well have sold the exploit on the black market for a fat check instead of just publishing it and then getting called "complete jerk" as a reward ...

Rating: 7 Votes

bradl

58 months ago

Front page news, surely?

Seems that it is now a race between Apple and malware writers make use of this information.

Again, this isn't of much use unless the attacker has physical or network access to your Mac. That isn't to say that this isn't any less of a vulnerability than those they've fixed, but this one also isn't something that someone can target a Mac with remotely, and instantly have root access.

tl;dr: a lot of variables have to fall into place at the right time for this to have any major impact to a single machine.

BL.

Rating: 6 Votes

bradl

58 months ago

close.. the screenshot is of the code being compiled by a non-root user and executed by the non-root user, showing how the privileges are escalated to become root.

Doesn't take away the fact that the guy was an idiot for releasing this the way he did.

Funnily enough, @i0n1c has a patch that can be applied to this.

BL.

Rating: 6 Votes

mijail

58 months ago

That may be true, but developers have a set of ethics (s)he should abide by.

If you want to assign developers ethics, then I guess you should start by mentioning the OS developers' ethics (meaning, Apple's). Apple:

* doesn't offer bug bounties
* sometimes doesn't even react to the bug reports
* when there's a reaction it uses to take months or more (and still some people praise them!?)
* doesn't always acknowledge the bug reporter
* doesn't EVEN make it easy to report and track bugs

So, again, what developer ethics are you talking about?

Rating: 5 Votes

gmanist1000

58 months ago

Note that this won't be patched AT ALL until AFTER El Capitan is released most likely.

10.10.5 is the final main update to Yosemite from what I heard via Apple Developer Support. They are soley focused on El Capitan from here on out.

That may change though (because this is Apple under Tim Cook. Anything can happen) Apple might still patch this via supplemental update.

They can easily just patch it with a security update, no need for 10.10.6 or anything like that.

Rating: 4 Votes

bradl

58 months ago

For the average user? Sure. But I know at least one university that is very nervous about their multiple computer labs full of iMacs. It's a pretty big deal.

That's my point. If deployed in a lab, university, or enterprise environment, this could be severe. All it takes is compiling it one place for one type of architecture for it to be distributed to any other Mac.

However, in a lab or Enterprise environment, where it is mainly iMacs, they aren't going to be as portable. So Find My Mac wouldn't really need to be enabled on those, so the Guest Account wouldn't need to be enabled, allowing unfetted, password-free access to the iMac. If tied to some sort of Directory protocol (Active Directory, LDAP, etc.), such work could be traced to the person that released it. So while it may be a big deal, that university could easily bait this as a trap for the malevolent user.

That security researcher doesn't owe you or the richest company in the world anything. He's free to do whatever he wants.

That may be true, but developers have a set of ethics (s)he should abide by. He is showing a complete lack of ethics in the way that he released this. On every security list I have been on (including Secunia and Bugtraq) the discoverer of the vulnerability always would let the vendor know of the vulnerability and give them time to patch it before announcing the vulnerability. Even the JB teams here (TaIG, Pangu, evad3rs) do that. This guy did not.

If you think that is fair for him to do, perhaps you should reexamine your ethics as well.

BL.

Rating: 4 Votes

Robert.Walter

58 months ago

Kudos to the talent that discovered this vulnerability. Boo to the ******* that released it in an unethical way.

(Yes, I know it is the same talented doofus.)

Rating: 4 Votes

AngerDanger

58 months ago

Never trust a person whose last name is an anagram for "scooted".

Rating: 4 Votes

gijoeinla

58 months ago

Suspicious of a "third party fix"... Eerily reminds of someone causing a serious incident -- attracting people to the scene of the crime then detonating a bomb...hence the "third party app" fix..

Just saying that this public release of this info could be a set up.

Yikes - they just got thru saying DONT download anything over the net and here this guy is telling you to do just that.

Rating: 3 Votes

[ Read All Comments ]