back to article Another root hole in OS X. We know it, you know it, the bad people know it – and no patch exists

If you're using OS X Yosemite, watch out for malware exploiting a new way to take complete control of your Mac. A vulnerability has been found in Apple's operating system that allows ordinary software on the computer to gain all-powerful root privileges, allowing dodgy apps to install new programs, create users, delete users, …

Page:

  1. JLV

    So... Apple, here's your chance to look a little better than you have recently and actually patch appropriately and with alacrity on all OSX releases that are purportedly in at least security support mode (Mountain Lion according to Wikipedia).

    I.e., upgrading to El Capitan is not an appropriate security patching approach.

    1. Anonymous Coward
      Pint

      I think he's made a fine start and given the fact this is all in plain sight....

      Ahem. I've said it before but page 0 (Moto 68k vector table, relocatable on later 680x0's) on the Amiga with Commodore supplied, free, Enforcer software running tagged this crap. This ain't new technology Apple!

      Guess he can drink, Italy and all - - - >

    2. Charlie Clark Silver badge

      upgrading to El Capitan is not an appropriate security patching approach

      Especially as it's still in beta, ie. explicitly not designed for general use and with appropriate disclaimers.

      If someone can come up with a remote code exploit then I think there are good grounds for legal action as this sort of bug should have been caught by static code analysis. Has Apple got something like Coverity in use? I suspect it won't come to much: people still seem to be more than happy to hand their money over to Apple for the latest shiny, shiny.

  2. werdsmith Silver badge

    Todesco said he reported the bug to Apple's engineers, and went public on Sunday by uploading the exploit code to GitHub because he felt he "had to."

    "had to...., make a name for himself. "

    And why not. Good work by the lad, I think he'll go far.

    OSX, on the face of it, is becoming a bit of a cullender of an OS, after years of trading on its robustness it's also approaching laughing stock status.

    1. Anonymous Coward
      Anonymous Coward

      Steve Jobs was good at marketing , enough said.

      1. Alan Brown Silver badge

        Perhaps Jobs was, but until ~2008 the best thing about advising users to use a Mac was that everything "Just Worked" with no fardling around required.

        Between the increasing number of severe bugs, high price, short hardware life (especially desktop systems) and the issue that successive versions of OS/X being steadily more broken as far as interoperability is concerned, that advice is no longer a good idea.

    2. Shades

      A classic case of trading on security through obscurity. Thanks to the dullards* that are forever posting pictures of Michael Kors watches, D&G accessories, bottles of "champagne" (that a French tramp would turn his nose up at) on a night out, and their latest car - you get the idea - the shiny is a little less obscure and the chickens are coming home to roost for Apple.

      *Otherwise known as Weekend Credit-Card Kings/Queens

      1. Dan 55 Silver badge

        The BSD part of OS X is quite robust, there's probably very few exploits if you stick to POSIX. The open source software they use in userland often takes a while to be updated, or they may stop updating it altogether if they don't like the licence (e.g. SMB when it changed to GPL3). Their own homespun libraries seem to be pretty poor.

    3. Anonymous Coward
      Anonymous Coward

      uploading the exploit code to GitHub because he felt he "had to."

      "Apple may not have noticed the post" is a poor excuse. He should have given Apple a sensible amount of time to fix it.

      The number of people who will know to install SUIDGuard or whatever will be miniscule compared to the number now at risk from this public flaw. i.e. 100% of black hats now know about the flaw, 0.00001% of potential victims. Still we should be genuinely grateful he didn't sell it to Hacking Team.

      1. slv138

        Re: uploading the exploit code to GitHub because he felt he "had to."

        "0.00001% of potential victims"

        Surely more than one of their customers must know?!

      2. Alan Brown Silver badge

        Re: uploading the exploit code to GitHub because he felt he "had to."

        "He should have given Apple a sensible amount of time to fix it."

        This kind of bug is trivial enough to find that the blackhats most likely already have it and severe enough that the world needs to know about it.

        There's a long history of vulnerabilities being passed to the authoring companies, which then ignore it for years. Apple is in that camp, as was Microsoft for a very long time.

        In such cases there is no point in giving them a notification period as they won't bother doing anything with it. There is _zero_ legal requirement anywhere in the world for researchers to provide a grace period - and when companies like Volkswagon take researchers to court to keep vulnerabilities under wraps instead of actually issuing fixes, there are strong arguments not to bother.

    4. JLV

      I agree. Good of him to find the bug, but he should have been responsible, notified Apple discreetly and given them some time to respond. Then the thing might have been patched before it became widespread knowledge to crackers.

      If Apple hadn't responded then they would have faced had the additional charge of being slackers at acknowledging security disclosures. So even more of a feather in his hat, in a way.

      As it is, he may burn his rep with his approach. Whether you like Apple or not, this wouldn't be something cool to have done to your own OS of choice.

      And, agree with you and some other posters. It is frustrating that Apple fairly consistently manages to poke holes into a BSD, systems that are almost a byword for security robustness.

      In a way, I almost wish that they did get a massive actual breach, not just vulnerability, that would motivate them to actually take security a lot more seriously. And, also, shut the trap of my fellow fanbois customers who think that nothing can ever go wrong with a Mac. Way too complacent, both.

      MS's security, if not its reputation, actually benefited from the aftermath of some of the massive worms of the late 90s / early 00s, like Melissa and Blaster.

      1. admiraljkb

        @JLV - actually, given that this appears to be a open barn door security bug, I think he may have been right to disclose it immediately. He probably is NOT the first person to find it, and the other folks (ala govt's, black hats, and criminal orgs) that have found it have either started using it and managed to stay under the radar, or were keeping their powder dry waiting for a good opportunity.

        Something to keep in mind - how long did the exploits that allowed for Flame and Stux remain unpatched while they were surreptitiously used by different global spy agencies? Security researchers either didn't find them, or it they did, they were forced to keep quiet on it. From here on out for the white hats, immediate disclosure may actually be the best way to go, since you have to assume you aren't the first to discover it when there are some much better funded grey/black hats looking for this type of paydirt exploit. It also prevents gag orders and any NDA complications if you just disclose it immediately.

    5. anonymous boring coward Silver badge

      El Capitan is positively flying on my very old Mac Mini. Never felt more responsive. Seems very solid as well. Core 2 Duo.

    6. Sebby

      I don't think it was proper for him to disclose if he had intended to do the "Responsible" disclosure dance.

      But that's OK, because I believe in full disclosure anyway. Really, it's about time, else this industry isn't going to improve. And dealing with Apple security is a PITA, so yeah, he probably did himself and the world a favour, by exposing the increasing mediocrity and simultaneously saving himself a lot of headache.

      Notable is that many of these security holes are seemingly appearing in Apple's later (perhaps less well-tested) code, and are being fixed in subsequent (but beta) builds. The shiny-shiny is where all the work is going now. :(

  3. ratfox
    Paris Hilton

    My first reaction was also "How can it be possible to do something useful out of a NULL pointer?"

    Not that I'm knowledgeable about OS programming, but it seems unlikely that dereferencing a NULL pointer would have any legitimate use…

    1. Dan 55 Silver badge
      Boffin

      In C/C++, NULL is an address like any other, it's 0. What usually happens is that you can't dereference a NULL pointer (read the value at address 0) because that address is not mapped to any RAM so the CPU throws a segmentation fault and the OS stops the program. What most people forget is that this is NOT C/C++ stopping you shooting yourself in the foot, NULL is just a #define for 0.

      So as C/C++ doesn't stop you and if that address (or rather, the first 65536 addresses which is the first memory page) IS mapped to an area of RAM then you CAN dereference the NULL pointer. So if a badly-written OS or Kernel routine just merrily dereferences pointers without checking if they're NULL beforehand and you control the value at address 0 or you don't but it's random, then that can be used as part of an exploit.

      So what I guess happened is that the NULL pointer got passed to a kernel routine, when running in kernel mode the first page was mapped to an area of RAM, and the routine itself doesn't check for NULL pointers.

      Looking at the guy's blog by the way, it seems IOKit is a bit of cowboy job.

      1. Brewster's Angle Grinder Silver badge

        x86 code pages are typically 4KiB -- so its only the first 4096 bytes that need to be mapped.

        And C++11 onwards has a genuine nullptr (of type std::nullptr_t) although it still ends up referencing address zero in any real situation.

      2. Someone Else Silver badge
        Facepalm

        @Dan 55

        Dan, you are, of course, correct. The main thing is how in the fscking world would any part of the 0 page be mapped? Any reasonable OS that manages memory mapping (including OSes found on low-level embedded devices, like VxWorks, eCos, etc.) maps the address space around address 0 to cause a seg fault (or whatever Windows calls it; Lord knows it couldn't call it the same thing the rest of the world calls it...). I guess that may exclude OSX from the set of "reasonable OSes"?

        1. Dan 55 Silver badge

          Re: @Dan 55

          I've had tonnes of segmentation faults on OS X so I guess the first page is mapped only when it's executing a kernel function, which is a bit of a failure in itself.

          I'm not sure why I thought a page on x86 was 64K... Probably a memory access error.

      3. AndrueC Silver badge
        Boffin

        In C/C++, NULL is an address like any other, it's 0. What usually happens is that you can't dereference a NULL pointer (read the value at address 0) because that address is not mapped to any RAM so the CPU throws a segmentation fault and the OS stops the program.

        If only it was that simple :)

        The reasons and mechanism for getting an exception varies by machine, by OS and whether or not you're talking about virtual address space, kernel address space or physical RAM address. I think you can read from address zero from user mode code on Windows, but not write to it. NB: I could be wrong there. I'm a C# developer these days so can't easily do a test.

        Also NULL is not always 0. The standard for modern C++ says it should be but in older systems it can be something else.

        http://stackoverflow.com/questions/2960496/why-is-null-0-an-illegal-memory-location-for-an-object

        The whole thing is rather murky and nutty. Thankfully with languages like C# and Java it's a lot less important than it used to be.

  4. Charlie Clark Silver badge

    Where not to publish exploits

    From GitHub's T&Cs

    You shall defend GitHub against any claim, demand, suit or proceeding made or brought against GitHub by a third-party alleging that Your Content, or Your use of the Service in violation of this Agreement, infringes or misappropriates the intellectual property rights of a third-party or violates applicable law…

    While this is a glaring exploit that Apple should fix as quickly as possible, publishing the source on GitHub is not the wisest action as GitHub will work hand-in-hand with "third-parties". Not sure if the exploit is covered by DMCA but I'm sure Apple's lawyers are sure to be able to find something and then you get to pay not only their costs but GitHub's as well.

    1. Anonymous Coward
      Anonymous Coward

      At least the patch lives in a better place

      I'm not sure why articles keep referring to the SUIDguard GitHub location whereas the simple clicky install DMG (properly signed) just lives on the guy's website*.

      Simple install, and it warns you properly upfront that, unlike other updates' this one needs a reboot as it's a kernel extension.

      I have emailed the author for a checksum on the SUIDGuardNG-106.dmg file, though, it pays to be cautious. I'll post it here if I receive an answer, but I imagine the guy's swamped right now.

      *: as far as I can check

      1. Anonymous Coward
        Anonymous Coward

        Patch checksum page

        This may be a better place to download SUIDguard from (just had an email from the author):

        https://www.suidguard.com/stories/download.html

        It also has the checksums listed.

        Cheers.

  5. Matthew 17

    will sound like a fanboi but...

    the last time one of these showed up it was patched in about 3 weeks from notification. This chap has just gone public straight away, not cool.

    Anyway it would be difficult to engineer this exploit to run the script automatically, I doubt anyone will encounter it in the wild and there will be another patch along shortly.

    1. Anonymous Coward
      Anonymous Coward

      Re: will sound like a fanboi but...

      there will be another patch along shortly.

      Just install SUIDGuard and you're OK as it addresses the issue at kernel level. I'm disappointed that Apple didn't pick that one up in their patch. Let's see how long it takes for this to get addressed - I agree with you that it is uncool to post an exploit without giving Apple a chance to address this.

  6. Anonymous Coward
    Anonymous Coward

    Problem? really?

    Like many Apple owners, my retina iMac is there to look good on my glass unibond desk, my iPad is my first-class cabin accessory du jour, my MacBook is for those few times I find myself in an artisan house of the bean and need to be seen typing something, and my iPhone is for being patronising to the nanny when she can't keep Eli and Ivorie (both named after a successful hunting trip in SA) controlled and away from me.

    So as I rarely need to actually switch any of this stuff on (indeed my iMac still hasn't got past asking me what language is best for me, even though it can hear me speaking loud and clear), security is rarely a problem. I think this is yet another example of the techies blowing something up out of all proportion for a grubby pay rise and I'm not fooled.

    1. Anonymous Coward
      Anonymous Coward

      Re: Problem? really?

      Like many Apple owners

      Sorry to fuel your jealous rage but I also have a Bentley with baby seal leather seats.*

      Speak for yourself. For me it's a tool that allows me to do my job with efficiency, and as a Windows convert I enjoy every day that I actually get work done instead of having to wait for yet another anti-virus update and security patch, and without having to fight an UI that is sold as innovation, but only qualifies as that if you're either very drunk, on very dangerous drugs or are a marketing droid trying to flog this stuff to the natives.

      In addition, I can run commercial tools which do not exist for a Linux desktop, and LibreOffice fills our office needs just fine.

      So, even with the current exposure I reckon we're still well up on a Windows platform, still run considerably less risk and still can get on with the day job.

      * No, I haven't. I like to go clubbing but we've run out of seals (to paraphrase Canadian comedian Stewart Francis).

    2. Roo
      Windows

      Re: Problem? really?

      That was a quality bit of satire, have an upvote.

    3. Charlie Clark Silver badge

      Re: Problem? really?

      I, too, very much enjoy working on MacOS. I don't, however, see why this means Apple can somehow afford to be so lax when it comes to patching software. This is why I don't trust them with the Posix stuff.

      This is the list that MacPorts presented me with this morning. I just wish that Apple did this for me.

      ---> Updating the ports tree

      The following installed ports are outdated:

      freetds 0.91.103_0 < 0.91.103_1

      gettext 0.19.5_0 < 0.19.5_1

      lame 3.99.5_0 < 3.99.5_1

      libedit 20140620-3.1_0 < 20140620-3.1_1

      llvm-3.5 3.5.2_4 < 3.5.2_5

      lzip 1.16_0 < 1.17_0

      nano 2.4.2_0 < 2.4.2_1

      ncurses 5.9_2 < 6.0_0

      python26 2.6.9_2 < 2.6.9_3

      python27 2.7.10_2 < 2.7.10_3

      python32 3.2.6_1 < 3.2.6_2

      python33 3.3.6_4 < 3.3.6_5

      python34 3.4.3_4 < 3.4.3_5

      python35 3.5.0rc1_0 < 3.5.0rc1_1

      readline 6.3.003_0 < 6.3.003_1

      texinfo 6.0_0 < 6.0_1

      1. Anonymous Coward
        Anonymous Coward

        Re: Problem? really?

        I don't, however, see why this means Apple can somehow afford to be so lax when it comes to patching software.

        I don't think they are lax - that myth is peddled every time it takes more than a New York minute to receive a patch after someone discovers a bug.

        For a start, if you're so desperate for a mitigation, one already exists (SUIDguard) so if it troubles you a lot, go and installs this. In this context it is worth pointing out that the fact that it's BSD under the hood permits a heck of a lot of quick fixes if required. It took but 3 hours from Shellshock being published to someone writing an interim macports patch for bash - it's your choice if you want to install something like that from what is in essence a less trusted source (SUIDguard is at least properly signed).

        However, if you want the official patch you also have to accept that Apple has to test this so it doesn't do a Microsoft* when they roll this out globally, and that does take time. I must admit I find the constant whinging rather interesting because it doesn't seem to come from people that actually *use* OSX to get work done.

        * bork the system with a defective patch

  7. Unicornpiss
    Meh

    Using page zero...

    Has been done on the 65xx and 68xx (and beyond) processors since the mid 1970s. It was (and is) a useful way to extend a processor's registers to more than you would ever need. Not a new concept. Exploiting this... apparently not new either.

    But not to denigrate Apple or anyone else, when you have millions of lines of code and a rushed development schedule, any company is going to miss flaws, and no company can delay release for a year while they painstakingly test every possible avenue of exploitation. Not and remain relevant. So people can cry "They should have known!" over and over whether it's Apple, Android, MS, or any platform, but this is going to keep happening ad infinitum. It's how quickly and gracefully the vendors and partners react that we should be watching.

    1. Mephistro
      FAIL

      Re: Using page zero...

      Back then I wrote a few assembler programs both for MOS 6502 and Motorola 68000*. The dangers of misusing NULL pointers were well known back then, and palliative measures were described in most books regarding assembler programming. I seem to recall some big C programming books (K&R perhaps?) also discussed these issues.

      Finding this kind of FAIL in a modern OS is like learning that in some first world hospital the surgeons don't wash their hands before operating patients.

      * Disclaimer: I haven't written a single line of assembler in almost ~30 years, so the situation may have changed, but still...

      1. Admiral Grace Hopper

        Re: Using page zero...

        Hefty dose of nostalgia at the mention of 6502 assembler, thank you. I rarely got that close to the metal again, but it was an excellent grounding in efficient programming practice.

        1. Anonymous Coward
          Anonymous Coward

          Re: Using page zero...

          Hah! Luxury! (etc).

          I was hand coding a 6303 in those days to mess around with the deeper code inside the PSION Organiser II. I never had any formal training in programming, so I sort of had to make things up as I got along, the whole idea of an assembler to write code was something I stumbled on *much* later :).

    2. Charlie Clark Silver badge

      Re: Using page zero...

      But not to denigrate Apple or anyone else, when you have millions of lines of code and a rushed development schedule…

      Let's extrapolate from your argument and substitute Boeing or Toyota for Apple and "thousands of rivets" for "lines of code". Do you think the argument still holds up? When the batteries in the 787 started to catch fire did Boeing say it was the pressure of time? Did Toyota say it "could have happened to anyone" when a fault in a pedal was discovered?

      It's not as if there aren't tools that can help find this kind of error. Sure, you can't expect to pick up every bug but what about the backports? This has been fixed in the beta, so it is known about, but the fix has not been backported.

      Liability in the software industry needs to get stricter. If something buggy gets released because some manager decided that testing could be skipped then the manager needs to be held accountable.

      1. tfoale

        Re: Using page zero...

        Null pointer dereferencing is one of the SANS Top 25 programming errors every organization should be catching.

    3. Anonymous Coward
      Anonymous Coward

      Re: Using page zero...

      In the 6502 architecture page zero accesses were faster than other pages, that is why back then this techniques made sense. In the x86 architecture, there is no such faster access. In real mode, the lowest RAM addresses are used by interrupt vectors. In protected mode, they are addresses like everything else - after all they can be mapped anywhere in real RAM. Usually a good OS should not map addresses usually used by invalid pointers, so they will trigger a processor fault that can be caught and returned to the caller as an error/exception.

      The kernel may map some memory to fixed addresses for simplicity, but in doing so it needs to actively protect it, and avoid addresses that can be easily "spoofed".

    4. Anonymous Coward
      Anonymous Coward

      Re: Using page zero...

      "millions of lines of code and a rushed development schedule, any company is going to miss flaws"

      They can afford to slow down and do a proper job! Well in theory, the problem is too many script kiddie developers around nowadays....but there are a few tools that can help fill this gap.

      Not only that, but Apple and others need to be held accountable and prosecuted / sued for negligence if and when it arises.

      1. Alan Brown Silver badge

        Re: Using page zero...

        "the problem is too many script kiddie developers around nowadays"

        The $DIRECTOR at $DAYJOB describes it as "the kind of programming error made by children in bedrooms" and isn't afraid to say so to suppliers.

        They may get upset, but using that kind of term seems to sink in.

        Of course the largest flock of such people seem to work on large government projects and in telcos.

  8. Anonymous Coward
    Anonymous Coward

    OS X security?

    It's now clear that Mac's much vaunted security advantages are simply down to their inconsequential market share rather than anything inherently superior about the operating system. Security through obscurity with nobody up till now bothering to waste their efforts focusing on such a small target.

    This is all the more lame considering Apple started with a clean slate, OS design-wise, at the beginning of the millennium.

    1. Anonymous Coward
      Anonymous Coward

      Re: OS X security?

      This is all the more lame considering Apple started with a clean slate, OS design-wise, at the beginning of the millennium.

      That "clean slate" was actually an operating system first released in the 1980s, and containing large quantities of code from the late 1970s. Unix -> BSD -> Mach -> NeXTSTEP.

      1. Anonymous Coward
        Anonymous Coward

        Re: OS X security?

        "That "clean slate" was actually an operating system first released in the 1980s, and containing large quantities of code from the late 1970s. Unix -> BSD -> Mach -> NeXTSTEP."

        Of course it's well known than OS X is derived from Unix. The point is Apple had the opportunity to start afresh but their eventual solution contained vulnerabilities that could've and should've been anticipated in the year 2000. Instead we got a deluge of hollow boasting in their marketing material about how Macs "just work" and never get viruses etc.

        1. Anonymous Coward
          Anonymous Coward

          Re: OS X security?

          Mac's by and large do 'just work' and a security flaw != virus. But hey, you are another internet genius telling the world what should be done. Tit.

          1. Anonymous Coward
            Anonymous Coward

            Re: OS X security?

            "Mac's by and large do 'just work' and a security flaw != virus. But hey, you are another internet genius telling the world what should be done. Tit."

            I'm sure the average Joe Apple user will be mightily relieved that their Mac was attacked via an OS security vulnerability rather than a virus. You're arguing over semantics - the net result is the same to the user.

    2. Anonymous Coward
      Anonymous Coward

      Re: OS X security?

      It's now clear that Mac's much vaunted security advantages are simply down to their inconsequential market share rather than anything inherently superior about the operating system.

      Honestly, *please* put some effort into trolling. Use CAPITAL letters, or say "Bill Gates was right", swear, dream up some conspiracy theories, anything to make this more than a lame attempt to dump some uninformed comment. Please?

    3. Anonymous Coward
      Anonymous Coward

      Re: OS X security?

      Security through obscurity with nobody up till now bothering to waste their efforts focusing on such a small target.

      Yes, sure. That's why Apple is now clocking more money than the GDP of an average 3rd world country, but without the bribes. Dream on.

      1. genghis_uk

        Re: OS X security?

        I am not sure that profit is really the issue.

        According to stats on El Reg in June, OSX market share is roughly equivalent to Windows XP - way behind Win7 and even the well loved Win8.

        If you are going to target an exploit which would you aim for?

        1. Anonymous Coward
          Anonymous Coward

          Re: OS X security?

          I am not sure that profit is really the issue.

          According to stats on El Reg in June, OSX market share is roughly equivalent to Windows XP - way behind Win7 and even the well loved Win8.

          If you are going to target an exploit which would you aim for?

          I'm confused. You're saying that OSX isn't that prevalent (ergo less exposed/targeted), yet still berate it for not immediately releasing patches? I clearly need a lot more alcohol before I can follow that logic.

        2. TheVogon

          Re: OS X security?

          "If you are going to target an exploit which would you aim for?"

          OS-X - they have after all already demonstrated that they are rich and gullible by buying Apple!

          However I guess hackers can't yet be bothered with such a small market share.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like