Biz & IT —

0-day bug in fully patched OS X comes under active exploit to bypass password protection

Privilege-escalation bug lets attackers infect Macs sans password.

0-day bug in fully patched OS X comes under active exploit to bypass password protection

Hackers are exploiting a serious zero-day vulnerability in the latest version of Apple's OS X so they can install adware applications without requiring victims to enter system passwords, researchers said.

As Ars reported last week, the privilege-escalation bug stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that lets attackers open or create files with root privileges that can reside anywhere in the OS X file system. It was disclosed last week by security researcher Stefan Esser.

On Monday, researchers from anti-malware firm Malwarebytes said a new malicious installer is exploiting the vulnerability to surreptitiously infect Macs with several types of adware including VSearch, a variant of the Genieo package, and the MacKeeper junkware. Malwarebytes researcher Adam Thomas stumbled on the exploit after finding the installer modified the sudoers configuration file. In a blog post, Malwarebytes researchers wrote:

For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.

As can be seen from the code snippet shown here, the script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it’s finished.

The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.

Then the script uses sudo's new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware.)

No good options

Privilege escalation vulnerabilities have become increasingly important to hackers in an age of security sandboxes and other exploit mitigations. Often attackers will combine an attack that exploits a vulnerability in the operating system kernel with a separate information disclosure or privilege-elevation bug that allows the first exploit to bypass the security measures.

Esser said the dyld flaw is present in the current 10.10.4 version of OS X, as well as a beta version of 10.10.5 he recently tested. He said his exploits didn't work against a beta version of 10.11, an indication Apple developers already knew of the vulnerability and have been testing a fix. As Ars said last week, it wouldn't be surprising if that fix found its way into the general release of 10.10.5. Given Monday's discovery that attackers are actively exploiting the weakness to hijack Macs, a more expedited patch seems even more likely now. Update: Esser has since said the vulnerability has been fixed in a later beta version of 10.10.5.

Until Apple fixes the bug, Mac users don't have any good options. One is to install a mitigation Esser created. While Esser is a respected security researcher and software developer, many people disapprove of updates that aren't explicitly sanctioned by the official developer. Ars advises readers to strongly investigate Esser's patch before installing it. Then again, navigating the Internet with a system known to be vulnerable to in-the-wild exploits is also risky. This post will be updated if researchers from Apple or elsewhere provide guidance or meaningful mitigation advice.

Post updated in the headline and first paragraph to remove the word "drive-by," and to make clear the exploit is being used to install adware without a system password. Also updated to change the word "patch" to "mitigation in the last paragraph and added detail about fix in 10.10.5.

Channel Ars Technica