Migrate Your Mac To OS X Yosemite 10.10.3 Immediately To Avoid Root Backdoor
Swedish hacker Emil Kvarnhammar is reporting that an unpublished OS X API — he dubs it a "backdoor" — can be used by nefarious types to gain root access through local users without Administrator status on Mac computers that have not yet been migrated to the 10.10.3 iteration of OS X, which was released just two days ago.
"The admin framework in Apple OS X contains a hidden backdoor API to root privileges [that] can be exploited to escalate privileges to root from any user account in the system," Kvarnhammar says in an advisory. "The intention was probably to serve the System Preferences app and systemsetup command-line tool, but any user process can use the same functionality. This is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits."
The OS X vulnerability that Kvarnhammar has dubbed Rootpipe was uncovered by the hacker last October, and it has taken Apple up until their recent security update to issue a patch for it. Unfortunately, however, only users who have installed Yosemite and who have updated their install to 10.10.3 will receive the patch. Specifically, what this means is that anyone driving a Mac running Mavericks, Mountain Lion, Lion, or Snow Leopard is potentially at risk of a security breach. Systems that are unable to migrate to Yosemite are out of luck.
At this point Rootpipe is a proof-of-concept developed by Kvarnhammar, and there have been no accounts of the vulnerability being leveraged in the wild. Kvarnhammar has published exploit code ahead of a talk he will give on May 28 at Security Conference in Stockholm next month, though, and enough information will be available following that event to allow smartie transgressors galore to put together their own versions of Rootpipe.
Though Yosemite is a free upgrade for anyone with a Mac capable of running the operating system (most iMacs and MacBook variations dating from mid-2007 or later), it is known to slow down some older systems and for that reason many owners of such systems have opted not to upgrade. In the face of a vulnerability such as Rootpipe and its cousins sure to come, however, these users — as well as users of more recent systems who have decided to stick with earlier iterations of OS X — will want to make the move to Yosemite. And fast.
"The admin framework in Apple OS X contains a hidden backdoor API to root privileges [that] can be exploited to escalate privileges to root from any user account in the system," Kvarnhammar says in an advisory. "The intention was probably to serve the System Preferences app and systemsetup command-line tool, but any user process can use the same functionality. This is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits."
At this point Rootpipe is a proof-of-concept developed by Kvarnhammar, and there have been no accounts of the vulnerability being leveraged in the wild. Kvarnhammar has published exploit code ahead of a talk he will give on May 28 at Security Conference in Stockholm next month, though, and enough information will be available following that event to allow smartie transgressors galore to put together their own versions of Rootpipe.
Though Yosemite is a free upgrade for anyone with a Mac capable of running the operating system (most iMacs and MacBook variations dating from mid-2007 or later), it is known to slow down some older systems and for that reason many owners of such systems have opted not to upgrade. In the face of a vulnerability such as Rootpipe and its cousins sure to come, however, these users — as well as users of more recent systems who have decided to stick with earlier iterations of OS X — will want to make the move to Yosemite. And fast.
