Security Experts:

Apple Failed to Properly Fix “Rootpipe” Bug in OS X: Researchers

Apple’s recent fix for the OS X privilege escalation vulnerability dubbed “rootpipe” isn’t effective, according to researchers.

The rootpipe vulnerability was reported to Apple last year by TrueSec security software engineer Emil Kvarnhammar. The security hole (CVE-2015-1130), which exists in OS X’s Admin framework, allows an attacker to gain root privileges. The hidden backdoor can be exploited by a local attacker, but it’s also possible to leverage the vulnerability remotely in combination with other remote code execution exploits.

Apple attempted to patch the flaw on April 8 with the release of OS X Yosemite 10.10.3. However, many people are displeased with the fact that the company decided not to address the vulnerability in older version of its operating system. Apple said it was not backporting the fix to older versions because of the substantial amount of changes required.

However, according to Patrick Wardle, director of research at Synack, not only older OS X versions remain vulnerable to rootpipe attacks. The expert says he has found a way to bypass Apple’s fix.

“I found a novel, yet trivial way for any local user to re-abuse rootpipe - even on a fully patched OS X 10.10.3 system,” Wardle wrote in a brief blog post.

The researcher has notified Apple and he says he’s not providing any technical details until the company releases a proper fix. However, he has published a short video to demonstrate that the attack still works.

Kvarnhammar said he initially believed that using entitlement checks to address the issue was a reasonable approach, but now he too has thought of a way to bypass the checks added by Apple in OS X 10.10.3.

Security researcher Pedro Vilaça (@osxreverser) noted on Twitter that there are several ways to bypass Apple’s roopipe fix. German researcher Stefan Esser (i0n1c), an expert in OS X/iOS security, believes that it’s unlikely that Apple will make another attempt at resolving the vulnerability any time soon.

It’s worth noting that it took Apple six months to release the first patch after being notified by Kvarnhammar.

As for the lack of a rootpipe patch for older versions of OS X, Vilaça believes the task is not as difficult as Apple claims. The expert says the company is acting irresponsibly by refusing to protect users of older versions of the operating system, especially since fully working exploits are publicly available.

Vilaça also pointed out in his blog post that a piece of malware had already been exploiting this vulnerability in 2014.

Kvarnhammar also hopes Apple will reconsider and release a patch for older versions as well. However, the expert believes the company is trying to invest a minimum amount of effort in older versions of OS X, and push users to the latest version.

“Fixing buffer overflows and similar is one thing (they usually back port that kind of issues), but fixing architectural issues like rootpipe will mean more work in dev and verification,” the researcher told SecurityWeek. “I think (and hope) Apple might be reconsidering, knowing that users of older versions are upset and that even low-privileged guest accounts on Mavericks can be used to exploit the issue and become root.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.