Researcher Discloses Privilege Escalation Vulnerability in OS X
Stefan Esser, a German researcher from security audit firm SektionEins, has disclosed a major OS X vulnerability, which affects OS X 10.10.x and is related to the new features added by Apple to its latest software (via ZDNet).
As Esser details, the security flaw is related to the new environment variable DYLD_PRINT_TO_FILE that enables error logging to an arbitrary file. The problem with this is that Apple “somehow forgot” to use the usual safeguards required when adding support for new environment variables to the dynamic linker.
As a result, it is possible to use this new feature even with SUID root binaries, which is dangerous, because it allows the opening or creation of arbitrary files owned by the root user anywhere in the file system, he writes.
“This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem.”
It isn’t clear whether Apple is aware of this security flaw, because — as Esser highlights — this has been patched in the first beta version of OS X El Capitan, but is still present in the current release of OS X 10.10.4 and the beta version of 10.10.5.
To protect users from this security flaw Esser released the source code of a kernel extension and a digitally signed version of it, which you can download from GitHub. Or alternatively, you can wait until Apple reacts to the issue and releases a fix.