U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Researcher discloses Local Privilege Escalation Flaw in Apple Mac OS X

Researchers have discovered a critical local privilege escalation (LPE) vulnerability in the Mac OS X operating system, but Apple will fix only by October. German researcher Stefan Esser, founder of security audit company SektionEins, has discovered a local privilege escalation (LPE) vulnerability in the Mac OS X operating system that affects OS X 10.10.x. Esser decided to […]

Researcher discloses Local Privilege Escalation Flaw in Apple Mac OS X

Researchers have discovered a critical local privilege escalation (LPE) vulnerability in the Mac OS X operating system, but Apple will fix only by October.

German researcher Stefan Esser, founder of security audit company SektionEins, has discovered a local privilege escalation (LPE) vulnerability in the Mac OS X operating system that affects OS X 10.10.x. Esser decided to take the full disclosure the vulnerability without previously notifying it to Apple, but it seems that the company was already aware of the flaw in the Mac OS X system because it was reported months ago by the a South Korean researcher known as “beist.”

Mac OS X bug

The flaw resides in a feature introduced by Apple to the dynamic linker “dyld” with the release of OS X 10.10, the vulnerability is related to the environment variable DYLD_PRINT_TO_FILE, which enables error logging to arbitrary files.

When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x.” Esser reported in a blog post.

Esser has published technical details of the security flaw describing the way to exploit it to gain full privileges on the target system. The researcher also provided a full Proof of Concept Exploit that gives the executing user a local root shell.

The problem for Mac OS X users is that Apple only fixed the vulnerability in the beta versions of OS X El Capitan 10.11, the fix for another version, including the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11, is expected to be released by October.

Esser has revealed that the local privilege escalation flaw also affects jailbroken iPhones running iOS 8.x.

Mac OS X bug 2

Apple users can wait for the fix or install SUIDGuard, a kernel extension that adds mitigations to protect SUID/SGID binaries.

Pierluigi Paganini

(Security Affairs – Bartalex, macro)