Inside the Unpatched OS X Vulnerabilities

Italian researcher Luca Todesco explains how exploiting two vulnerabilities in OS X gain enable root access for a hacker. He won’t, however, say why he went public with details and exploit code before Apple patched.

Update Luca Todesco still won’t say why he disclosed over the weekend details and proof of concept code for a pair of unpatched and previously unreported OS X vulnerabilities, instead standing firm by his pat response: “I had my reasons.”

The 18-year-old Italian researcher, however, is sure his attacks will root current versions of OS X, Yosemite and Mavericks. Apple is reportedly working on a patch that will address both the kernel-level flaws and security bypass bug that Todesco reported on Sunday, hours before he went public.

The beta version of OS X 10.11, known as El Capitan, has already been patched, Todesco said.

“[Apple] did not tell me any timeframe [for a patch],” he told Threatpost. “It has been patched since the early betas in 10.11.” As a temporary mitigation, Todesco recommends running SUIDGuard, a kernel extension that mitigates memory-corruption attacks such as his. Todesco also developed a similar tool called NULLGuard that he originally promoted before deferring to SUIDGuard.

“NULLGuard prevents mapping the null page so the vulnerability can at most crash your Mac,” Todesco said.

Todesco’s exploit, called tpwn, chains together two vulnerabilities that affect memory processes in OS X 10.9.5 through 10.10.5 at kernel level that bypass existing mitigations such as ASLR. Once through the door, a hacker has root-level access to a vulnerable machine; the risk, however, is mitigated since a successful attack requires a user to execute a malicious application or download from the Web.

“It’s important to realize, that this is only a local elevation of privilege vulnerability. So it doesn’t directly benefit remote attacks,” said Patrick Wardle, director of research at Synack and a longtime OS X security researcher. “Of course it could be (and may be) integrated as a component of an exploit or persistent exploit payload to allow an attack full privileges (root access) on a successfully exploited computer. So while definitely useful (having root is awesome!), the bug still first requires arbitrary code execution on a target or user’s computer.”

Todesco explained that his exploit involves passing a wrong type of Mach port to a certain I/O Kit function, which calls a separate function that converts the port to an in-kernel object.

“Since the type is wrong, this function returns NULL. IOKit does not check the return value, thus any usage of this object is really going to NULL,” Todesco explained. “One such use is to set a bit in a pointer controllable from the NULL page. By mapping the NULL page I can thus corrupt kernel memory at will.”

Coincidentally, Microsoft and Linux have already eliminated the class of bugs Todesco discovered.

“Why does Apple allow user-mode processes (on 64-bit machines) to allocate page 0?” Wardle said. “NULL-pointer derefs, are somewhat of a mitigated bug-class on Windows and Linux which both have exploitation mitigations that attempt to prevent the the allocation of page 0, to thwart exactly this type of bug!”

Todesco chains this vulnerability with a separate information leak vulnerability in tpwn in order to bypass security features such as ASLR.

“By aligning the kernel heap correctly, you can get around kASLR (kernel address space layout randomization) and SMEP (Supervisor Mode Execution Prevention) and execute code,” Todesco said. “By using the code I posted, it’s very simple to make use of both these bugs to obtain root.

“Given an attacker that has code execution on someone’s computer and is able to execute a crafted binary in said computer,” Todesco said, “said attacker gets root.”

This article was updated Aug. 19 with comments from Synack’s Patrick Wardle.

Suggested articles