TrueSec outlines "Rootpipe" privilege escalation vulnerability in Mac OS X Yosemite

The Swedish "white-hat hacker" notified Apple of the vulnerability two weeks ago, and agreed not to reveal details of how it works until January, allowing Apple and its customers time to address the issue before a malicious agent could begin exploiting the flaw TrueSec identified.

Dubbed "Rootpipe," the flaw allows software running under an account with admin privileges to gain root access via the "sudo" command without actually authenticating. Normally, an admin user is blocked from gaining root powers with sudo unless the user reenters his admin password. This mechanism could potentially be used by malware to install itself without requiring an admin password, just like Windows.

In a report by Macworld, Kvarnhammar stated that he had been looking for a modern Mac vulnerability to demonstrate at the event, "but relatively few have been published. There are a few 'proof of concepts' online, but the latest I found affected the older 10.8.5 version of OS X. I couldn't find anything similar for 10.9 or 10.10."

After "a few days of binary analysis," the researcher identified a flaw affecting Mountain Lion, and after studying changes Apple made in Mavericks and the latest Yosemite, he figured out how to bypass security measures while running within an admin account.

Kvarnhammar noted "there was no discussion: we do responsible disclosure. But we also wanted to announce that we found a serious flaw; there is a big risk here."

Responsible disclosure vs. dropping a Zero-day

In a security context, "responsible disclosure" generally means that researchers who discover a serious flaw will notify the software vendor with details at least 90 days before publicly disclosing how the flaw actually works and how it can be exploited, allowing time for the issue to be addressed and patches to be distributed to users. Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies

If a working exploit is developed before the vendor can patch it (or before the vendor is even aware of the vulnerability), it is called a "Zero-day."

Rather than following responsible disclosure, less scrupulous hackers sell Zero-day exploits for big money to malicious and/or government agencies to exploit users before a patch can be created.

Apple's OS X Xprotect system can disable zero-day vulnerable plugin components and quarantine malware before patches can be rolled out. Last year, Apple remotely disabled Java 7 after the U.S. Department of Homeland Security warned of a serious zero-day flaw in the software. Apple also routinely blocks older, insecure versions of Adobe Flash.

Bypassing the Rootpipe vulnerability

Until the Rootpipe flaw is fixed, Mac users can restrict themselves to working within a non-admin account, which is generally considered to be a good idea anyway. To do this, users create a secondary account with admin privileges, then use that account to remove admin rights from their own account. A user account without admin rights must specifically authenticate with a separate admin account and password in order to perform certain tasks like installing printer drivers or other software with system-level access.

Kvarnhammar also recommended using FileVault, Apple's hard drive encryption for Mac users, noting "This is a great way of protecting your data, especially if your computer gets stolen."

In addition to hacking Macs, Kvarnhammar also hacked Samsung Knox running on Android phones. The Øredev Developer Conference runs through the end of this week, an includes sessions ranging from its security track to Apple's Swift programing language and web development.