Generally speaking, Mac OS X is a much safer operating system compared to Microsoft Windows, but that does not mean it is completely immune to vulnerabilities. German researcher Stefan Esser has identified a dangerous local privilege escalation vulnerability in Mac OS X (emphasis added):
“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.
Esser has published technical details on the vulnerability and explained how it can be exploited for full privilege escalation. He has also released a proof-of-concept (PoC) exploit that provides a local root shell.
While Esser decided to take the full disclosure approach and not notify Apple before making his findings public, it appears this vulnerability was reported to the company months ago by the South Korean researcher known as “beist.”
However, Apple only fixed the flaw in the beta versions of OS X El Capitan 10.11, and not in the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11 is expected to be released in late September or early October.
Esser has pointed out that the local privilege escalation vulnerability also affects jailbroken iPhones running iOS 8.x.