This article is more than 1 year old
Another root hole in OS X. We know it, you know it, the bad people know it – and no patch exists
Be careful what you run
If you're using OS X Yosemite, watch out for malware exploiting a new way to take complete control of your Mac.
A vulnerability has been found in Apple's operating system that allows ordinary software on the computer to gain all-powerful root privileges, allowing dodgy apps to install new programs, create users, delete users, trash the system, and so on, without the owner's permission.
Someone who describes themselves on Twitter as an 18-year-old Italian called Luca Todesco has this week pointed out details of the flaw, example code to exploit it, and software to mitigate it.
The vulnerability exists in OS X from version 10.9.5 to 10.10.5, the latest official build of Apple's operating system. OS X El Capitan, aka OS X 10.11, which is in public beta, does not suffer from the same programming blunder.
At the heart of the security hole are really two issues that together can be exploited via IOKitLib, an interface for accessing devices from normal applications.
According to Todesco, if you call the library's
IOServiceOpen function with an invalid
owningTask parameter, a kernel-level
IOUserClient will be passed a NULL pointer for the calling task. This pointer makes its way through more of the OS and is used to locate a variable in memory where a bit is set. By controlling the page of memory at address zero, an attacker can direct where these bits are set, and thus manipulate the kernel's memory, and eventually seize control of execution with full kernel-level privileges.
"It wasn't exactly the hardest-to-find bug in the world," added Todesco.
this is on 10.10.4 but 10.10.5 should't make a difference. pic.twitter.com/dFTiTcUm06— Luca Todesco (@qwertyoruiop) August 15, 2015
Todesco said he reported the bug to Apple's engineers, and went public on Sunday by uploading the exploit code to GitHub because he felt he "had to."
"I was planning on publishing it in an abstract blog post. I informed Apple, just because, you know, Apple could have simply not noticed my post," he said. "I only published tpwn because I had to, or else I would have kept it unreported until 10.11. The bad guys already have [local privilege escalation bugs]."
No patch exists yet for the security blunder, unless one upgrades to OS X El Capitan. Mac users still on Yosemite will have to make sure they run only trusted signed applications, and really hope that no one achieves remote-code execution on their machine. If multiple users share the same machine, any one of them can use this flaw to gain administrator-grade control.
Todesco also produced a kernel extension called NULLguard that stops applications starting that wish to use the zero page – and thus stops programs that can potentially exploit this vulnerability – but now recommends people install Stefan Esser's SUIDGuard instead.
The IOKitLib flaw emerged soon after Apple patched the DYLD_PRINT_TO_FILE privilege-escalation bug also in OS X Yosemite.
El Reg reckons it would be nice if OS X blocked all accesses to page zero, thus trapping attempts to exploit NULL pointers, but what do we know? ®