The security issues in OS X keep mounting as ZDNet has reported that German researcher Stefan Esser has found a very, very bad vulnerability:
The new features exploitable by the vulnerability are based upon the dynamic linker dyld and environment variable DYLD_PRINT_TO_FILE, which enables error logging to an arbitrary file.
“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries,” Esser explained.
“This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem.”
This, in turn, allows for privilege escalation and PC hijacking to take place.
Lovely. Based on his description, it sounds like this is something that should have been caught during the QA process. Of course that assumes that this was designed with security in mind in the first place. It’s not clear which side of the fence this lands on. It’s also not clear if Apple might be aware of the issue because it is apparently fixed in the OS X 10.11 (El Capitan) betas. But it is not fixed in either OS X 10.10.4 or the 10.10.5 beta. Thus your guess is as good as mine as to if a fix is coming for this.
Like this:
Like Loading...
Related
This entry was posted on July 22, 2015 at 2:42 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Serious Vulnerability Found In OS X
The security issues in OS X keep mounting as ZDNet has reported that German researcher Stefan Esser has found a very, very bad vulnerability:
The new features exploitable by the vulnerability are based upon the dynamic linker dyld and environment variable DYLD_PRINT_TO_FILE, which enables error logging to an arbitrary file.
“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries,” Esser explained.
“This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem.”
This, in turn, allows for privilege escalation and PC hijacking to take place.
Lovely. Based on his description, it sounds like this is something that should have been caught during the QA process. Of course that assumes that this was designed with security in mind in the first place. It’s not clear which side of the fence this lands on. It’s also not clear if Apple might be aware of the issue because it is apparently fixed in the OS X 10.11 (El Capitan) betas. But it is not fixed in either OS X 10.10.4 or the 10.10.5 beta. Thus your guess is as good as mine as to if a fix is coming for this.
Share this:
Like this:
Related
This entry was posted on July 22, 2015 at 2:42 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.