Swedish hacker Emil Kvarnhammar has reported a since-fixed four-year-old local root 'backdoor' OS X that allows remote attackers to increase the damage of their hacks.
Kvarnhammar says the unpublished API, which he dubs a backdoor, grants root access to local users on unpatched boxes. The flaw (CVE-2015-1130) is fixed in Apple's patch run this week but for machines running OS X 10.10.x only.
Kvarnhammar says it is useful as a means to bolster remote attacks that use regular user accounts which lack system access.
"The admin framework in Apple OS X contains a hidden backdoor API to root privileges [that] can be exploited to escalate privileges to root from any user account in the system," Kvarnhammar says in an advisory.
"The intention was probably to serve the System Preferences app and systemsetup command-line tool, but any user process can use the same functionality.
"This is a local privilege escalation to root, which can be used locally or combined with remote code execution exploits."
Kvarnhammar discovered the flaw October last year and published exploit code ahead of a talk he will give at Security Conference next month.
Attackers can pull off the hack by sending a nil, a kind of NULL for Object C, Kvarnhammar says.
It is as simple as sending nil to authenticateUsingAuthorizationSync instead of using the result of [SFAuthorization authorisation]:
[sharedClient authenticateUsingAuthorizationSync: nil];
It seems like the authorization checks are made by triggering callback functions on the auth-object supplied. For those of you who are not Objective-C programmers: Guess what happens if you call methods on a null reference – or to use Objective-C language, send a message to nil? Nothing!
Users should update to OS X 10.10.3, since OS X 10.9.x and older remain un-patched. Systems running OS X 10.8.5, 10.9.5, and 10.10 to 10.10.2, for example, are still vulnerable. If your Mac can't run Yosemite, then you're out of luck. ®