Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet
If you want it fixed, upgrade to the El Capitan beta
Code dive You can bypass Apple's space-age security, and gain administrator-level privileges on an OS X Yosemite Mac, using code that fits in a tweet.
Yosemite, aka version 10.10, is the latest stable release of the Mac operating system, so a lot of people are affected by this vulnerability. The security bug can be exploited by a logged-in attacker, or malware on the computer, to gain total unauthorized control of the Mac. The vulnerability is documented here by iOS and OS X guru Stefan Esser.
It's all possible thanks to an environment variable called
DYLD_PRINT_TO_FILE that was added in Yosemite. It specifies where in the file system a component of the operating system called the dynamic linker can log error messages.
If the environment variable is abused with a privileged program, an attacker can modify arbitrary files owned by the powerful user account
root – files like the one that lists user accounts that are allowed administrator privileges.
Here's the titchy root-level privilege-escalation exploit, devised yesterday by Redditor Numinit:
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s # via reddit: numinit (shorter)— Stefan Esser (@i0n1c) July 22, 2015
These shell commands run
whoami to output your username (eg:
vulture) and then tacks "ALL=(ALL) NOPASSWD:ALL" on the end to form a line like:
vulture ALL=(ALL) NOPASSWD:ALL
It then outputs that line to the file specified by
DYLD_PRINT_TO_FILE, which in this case is the list of users who can gain root-level privileges:
/etc/sudoers. That line tells OS X that your user account is allowed to gain root privileges without a password.
A privileged program – the root-owned set-uid executable
newgrp – is run to provide the root-level access to the
sudoers file. Finally,
sudo -s is executed to open an interactive command-line shell, which will have root-level privileges for your user account thanks to the update to the
sudoers file. From there you can do anything you like; modify documents, install malware, create new users, and so on.
This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5. If you upgrade to the El Capitan beta (OS X 10.11), you'll be free from the vulnerability as Apple has already fixed it in that preview beta. Once again, if you keep up with Cupertino and install (or buy) the very latest stuff, you'll be rewarded.
Sponsored: The Nuts and Bolts of Ransomware in 2016