“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.
Esser has published technical details on the vulnerability and explained how it can be exploited for full privilege escalation. He has also released a proof-of-concept (PoC) exploit that provides a local root shell.
While Esser decided to take the full disclosure approach and not notify Apple before making his findings public, it appears this vulnerability was reported to the company months ago by the South Korean researcher known as “beist.”
However, Apple only fixed the flaw in the beta versions of OS X El Capitan 10.11, and not in the current OS X 10.10.4 or the beta version of OS X 10.10.5. OS X 10.11 is expected to be released in late September or early October.
Esser has pointed out that the local privilege escalation vulnerability also affects jailbroken iPhones running iOS 8.x.
Facebook announced today it was pushing out some “query packs” on its code page that would enable IT folk to quickly look for signs of Hacking Team infection. These query packs form part of Facebook’s “osquery”, a free and open source framework that can be used to gather network data and quickly ask questions to uncover potential security threats. It’s part of the social network’s own security defences and was updated recently to protect against some critical Apple Mac and iPhone vulnerabilities.
Whilst query packs can be created to bunch specific, commonly-used sets of questions for datasets, Facebook has released a handful of its own, including ones related specifically to Apple Mac OS X machines. “The OS X-attacks pack has queries which identify known variants of malware, ranging from advanced persistent threats (APT) to adware and spyware. If a query in this pack produces results, a host in your Mac fleet is compromised with malware. This pack is high signal and should result in near-zero false positives,” said Javier Marcos, security engineer at Facebook, in a blog post, before noting that the query pack includes commands that seek out signs of Hacking Team infiltration.
Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.
The attack, according to a blog post published Friday by well-known OS X security researcher Pedro Vilaca, affects Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode. He found a way to reflash a Mac’s BIOS using functionality contained in userland, which is the part of an operating system where installed applications and drivers are executed. By exploiting vulnerabilities such as those regularly found in Safari and other Web browsers, attackers can install malicious firmware that survives hard drive reformatting and reinstallation of the operating system.
The attack is more serious than the Thunderstrike proof-of-concept exploit that came to light late last year. While both exploits give attackers the same persistent and low-level control of a Mac, the new attack doesn’t require even brief physical access as Thunderstrike did. That means attackers half-way around the world may remotely exploit it.
“BIOS should not be updated from userland and they have certain protections that try to mitigate against this,” Vilaca wrote in an e-mail to Ars. “If BIOS are writable from userland then a rootkit can be installed into the BIOS. BIOS rootkits are more powerful than normal rootkits because they work at a lower level and can survive any machine reinstall and also BIOS updates.”
This is a particularly nasty exploit, not just because it allows a persistent backdoor but primarily because it can be done remotely. Generally, flashing a BIOS needs to be accomplished through physical access to the machine. This vulnerability allows attackers to remotely install the permanent backdoor into the BIOS, and such low-level rootkits are the worst type of malware.