UPDATE: Apple patched the so-called Rootpipe backdoor in OS X, but only in current versions of Yosemite. According to the researcher who found the vulnerability, Apple told him that it would not backport the fix to 10.9.x and older.
The vulnerability, located in the OS X Admin framework, was patched Wednesday in a monster OS X update in Yosemite 10.10.3.
Emil Kvarnhammar of TrueSec in Sweden said the vulnerability requires local access to an OS X system and allows an attacker to escalate their privileges to root, which can be combined with other exploits to also gain remote exploitation and control of a system.
“Apple indicated that this issue required a substantial amount of changes on their side and that they will not back port the fix to 10.9.x and older,” Kvarnhammar wrote in an advisory yesterday on the TrueSec site.
Kvarnhammar calls the issue a “hidden backdoor API” granting root privileges and told Threatpost it is one of the easiest local privilege escalation exploits he’s seen. He reported the bug to Apple in October when he also did a partial disclosure of the issue, which he says has been present in the Apple operating system since 2011.
“An attacker could combine it with a remote code execution exploit. Remote code execution exploits are discovered and fixed in almost every version of OS X,” Kvarnhammar said. “An attacker would only need to know a way to exploit one of them and write code that exploits the combination in order to gain full root access on another’s machine.”
He said the backdoor likely isn’t malicious.
“The intention was probably to serve the ‘System Preferences’ app and systemsetup (command-line tool), but any user process can use the same functionality,” Kvarnhammar said, adding that it’s likely legacy code that’s been in OS X for a long time and used by many different parts of the operating system such as System Preferences and other similar tools.
“The exploit could be packed in a document with macros (e.g. in Microsoft Excel for OS X), combined with a remote code execution exploit, and launched through a vulnerability in Flash or Java, if available,” he said.
Kvarnhammar said his first foray into an exploit for the bug allowed him to elevate privileges to root from only admin accounts, but upon further investigation of the permissions doled out by OS X and its systemsetup command line tool, he was soon able to elevate from standard default user accounts as well.
“I actually found a way to make it work for all users later, which means that the exploit is no longer limited to admin accounts only. It is as simple as sending nil to authenticateUsingAuthorizationSync instead of using the result of [SFAuthorization authorization],” Kvarnhammar wrote. “It seems like the authorization checks are made by triggering callback functions on the auth-object supplied. For those of you who are not Objective-C programmers: Guess what happens if you call methods on a null reference – or to use Objective-C language, send a message to nil? Nothing!”
Kvarnhammar explained that he found the bug while doing some research for a conference presentation.
This week’s patch was one of 80 Apple released for OS X, addressing a number of remote code execution, denial of service and privilege escalation bugs, among others, in a dozen OS X components. Kvarnhammar said his proof of concept exploit no longer works on patched versions of OS X.
“I’m hoping to spend more time analyzing the details,” he said.
This article was updated at 6 p.m. ET with comments throughout from Emil Kvarnhammar.
