Security Experts:

Zero-Day Vulnerability in OS X Exploited in the Wild

An unpatched local privilege escalation vulnerability in Apple’s OS X operating system has been exploited by malicious actors to install adware and other suspicious applications on vulnerable computers.

The details of the security hole were disclosed two weeks ago by German researcher Stefan Esser. The expert had not notified Apple before making his findings public, but the company was aware of the issue because it was previously reported several months ago by the South Korean researcher known as “beist.”

Apple fixed the flaw in the beta versions of OS X El Capitan 10.11, but not in the current releases.

Researchers at antivirus firm Malwarebytes discovered an attack leveraging the vulnerability while analyzing a new adware installer. The attackers have been exploiting the flaw to modify “sudoers,” a hidden UNIX file that lists users authorized to run certain commands as other users.

By modifying the “sudoers” file, the attackers can execute their installer with root permissions without requiring victims to enter their password. The installer, named “VSInstaller,” is used to install the VSearch adware, the Genieo adware, and the controversial MacKeeper software.

Once this is done, the installer directs users to the Apple App Store page of the Download Shuttle file downloader app.

“Hopefully, this discovery will spur Apple to fix the issue more quickly,” Malwarebytes researchers said in a blog post.

The local privilege escalation vulnerability disclosed by Esser is related to DYLD_PRINT_TO_FILE, an environment variable that enables error logging to arbitrary files. The feature was introduced by Apple in OS X 10.10.

“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system,” Esser explained.

“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x,” Esser added.

The researcher has advised OS X users to install his SUIDGuard tool to protect themselves against potential attacks.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.