back to article Apple OSX Yosemite infested by nasty 'Rootpipe' vuln

A Swedish security researcher has turned up a serious vulnerability in OS X “Yosemite”, but details are to be withheld until January, giving Apple time to prepare a patch. The vuln was first described in mid-October, when Truesec posted a YouTube video (below) that sketchily described the existence of the bug. Truesec …

  1. Richard Jones 1
    Unhappy

    OK Name an OS or Program That Does Not Have Holes as Yet Unfound and Patched

    Title says it really, a hole has been found in an area of code that appears to have been handed down through several generations of software. I suspect that you could delete the name of the OS and write the same account about almost every other OS. It is a pity that people do not realise that code can be highly complex and that errors or bugs will happen.

    The only issue in this case is that it is going to take a while to get resolved and that this could increase the chance of it being found by others and exploited. Sadly this is not the only case where a delay leaves a possible gate open but not only was it ever thus, I suspect that it will forever be.

    So please, no need for flame wars

    1. This post has been deleted by its author

    2. MyffyW Silver badge

      Re: OK Name an OS or Program That Does Not Have Holes as Yet Unfound and Patched

      Well said @Richard_Jones_1

      I'm no great fan of Apple, but I'll admit that what is needed is strength-in-depth defences and a recognition that whatever your pet OS you need to patch it regularly - when there is a patch.

      Vulnerabilities happen, it's how vendors, IT departments and users respond to them that is the measure of success.

    3. Destroy All Monsters Silver badge
      Headmaster

      Re: OK Name an OS or Program That Does Not Have Holes as Yet Unfound and Patched

      It is a pity that people do not realise that code can be highly complex and that errors or bugs will happen.

      It is a pity that formal verification methods are still considered with suspicion by the unwashed masses who would rather hack a wheelchair then test it than specify a bicycle and generate it.

      1. Anonymous Coward
        Anonymous Coward

        Re: OK Name an OS or Program That Does Not Have Holes as Yet Unfound and Patched

        This. That's always been my methodology. Rather than hacking my way to perhaps success I did 90% of the work in the design phase and the keyboard time was just keying in, language independent.

    4. macjules
      IT Angle

      Ok, for once I will give Apple credit ...

      Actually after installation of Yosemite it does tell you that you should enable FileVault, so I presume they were aware of the bug.

      My gripe is more about why Safari has now turned from 'the fastest browser' into a 'complete pos' and why I have to completely reset all sharing settings in order to get ATV to connect via Home Sharing.

    5. Anonymous Coward
      Anonymous Coward

      Re: OK Name an OS or Program That Does Not Have Holes as Yet Unfound and Patched

      " The vulnerability subverts the password requirements for someone to run sudo – that is, to access the shell as a superuser."

      SUDO itself is a big fat vulnerability waiting to happen. It is ridiculous that to elevate privileges by any amount that you have to run a process with root / UID0 access to do it. It's about time that this was done via constrained delegation and granular ACLs as per VMS, Windows, Most Mainframe OSs, etc. etc...

  2. ElReg!comments!Pierre

    sudo without a password?

    Could be nasty and relatively easy to trigger: the mitigation advice suggests it happens when running as the default (root) account, which makes it easy to avoid for tech-savvy people; OTOH every single Mac user I know run their computer under the first (and sole) account that exists on their machine... which if memory serves is root with a few warnings bolted on.

    I've been saying that for a while: shame on Apple for pulling a Microsoft and not forcing people to create an unpriviledged user account for everyday use.

    {firing up the nearest Mac}

    1. Anonymous Coward
      Anonymous Coward

      Re: sudo without a password?

      but bad guys are too uncool and not hipster to attack fruit loop cases

    2. This post has been deleted by its author

    3. PJI

      Re: sudo without a password?

      While, admittedly, UNIX is my expertise and living, I do not recall the user's individual login, sole on the machine or not, being the super user login. I at least do not login in as root.

      sudo is there by default. sudo, in its basic manifestation, expects the user to enter his password to use it. If the user declines the Apple urging to set a password, just as on any other UNIX or Linux system, the best he gets is the need to type "sudo" or just tick the installation confirmation box. One could complain that this is a useability bug - should users be required, by the user set-up process, to specify a password of some minimum complexity if they want to enable sudo ("admin" account?). Does any other UNIX or UNIX-like system do so?

      Further, perhaps the default should restrict the commands allowed to sudo. Those who know what they are doing can change the configuration file or su(1) to root. A separate, administrator login will provide a thinking delay. But it may still be password-less and, being a nuisance, result in the average user being more lackadaisical about installing security updates when prompted.

      In any case, I come across even professional computer users who, having bought an Apple system, are unaware that it is BSD UNIX and has got a full, UNIX shell command line interface and so, also, never type "sudo". I am sure that 99% of users hardly ever start the terminal emulator. But of course, the bug, if such there is, is still there for the malicious and able withe access.

    4. EddieD

      Re: sudo without a password?

      I believe that since about Snow Leopard, if you haven't got a password on your account, sudo won't work. Dunno if this vulnerability bypasses this or not...

    5. Anonymous Coward
      Anonymous Coward

      Re: sudo without a password?

      The early installs of XP Home Edition had this problem, I came across multiple systems setup with multiple admin accounts: a recipe for utter chaos, unknowing parents thinking they have knowledgeable children..it is more like Trojan Horse children who have the innate ability to download as much free malware as they possibly can.

  3. Androgynous Cupboard Silver badge

    Hmm

    Would have been nice to see "ls -l ./rootpipe" - if it's a suid binary owned by root, I won't be so impressed.

  4. Anonymous Coward
    Anonymous Coward

    Ubuntu etc too?

    The way all these Apple-aping OSes use Sudo makes it easy to trick people into entering their passwords.

    1. macjules

      Re: Ubuntu etc too?

      Bit like those poor saps in 2001 who fell for the "hey look! Halflife is out for Mac! You can download it via sudo rm -rf on your home folder"!

      1. Anonymous Coward
        Anonymous Coward

        Re: Ubuntu etc too?

        I was thinking trojans, drive-by downloads, the sort of attacks that have been biting casual Windows users for 20 years.

        Downvoted?? Apparently I rattled the Ubuntu fanboy contingent, all 2 of them.

        1. Mark 65

          Re: Ubuntu etc too?

          Seems like there were 6 but one lost interest.

  5. Charlie Clark Silver badge

    Headline could be better

    Since it affects probably all versions of MacOS X. Hopefully Apple will have a fix in place before January because if this is remotely exploitable I can't see how they can hope to avoid liability when people are exploited. Though I suspect the attack vector will be some kind of payload where a user has to be active.

    I really don't like sudo. I usually run a separate shell as root to avoid the hassle. Yes, I know that's no safer I would really prefer being able to run su. Do you get su if you set up an account without admin privileges?

    1. KroSha

      Re: Headline could be better

      No. Only admins are members of the sudo-ers group; regular users cannot access it. I run as a normal user for my day to day stuff. If I quickly need to do something as root, I fire up the Terminal, use the login command to change to my admin user and then sudo from there.

  6. DerekCurrie
    Facepalm

    Is this just a rootkit that requires direct computer access? Can I yawn yet?

    Is this FUD or fact? Or is it merely a publicity stunt? Clearly, for now, this is FUD. Thanks for making us paranoid for potentially two months. :-P

    1. foo_bar_baz
      Boffin

      Re: Is this just a rootkit that requires direct computer access? Can I yawn yet?

      Who said it's a rootkit? You did.

      Let me spell it out: pri-vi-lege es-ca-la-tion. It's bad enough, in combination with a remote execution vuln in RandomPHPApp it means your server is botmeat.

      Our Reg article does say it appears to be remotely exploitable:

      "whether it's a purely-local exploit or remotely-exploitable, the advice he gives suggests the latter"

      Now you may faceslap yourself.

      1. Jerren
        Coat

        Re: Is this just a rootkit that requires direct computer access? Can I yawn yet?

        Well said foo_bar!

        This is simply a privilege escalation exploit of a flaw in the OS, there are dozens of them out there in the Unix world and this is not surprising that there is an old one in OSX, it's probably one that was ported over from BSD. It appears that you already need a shell to the box with an authenticated user in order to exploit, not that hard but it will require a bit of skill for someone to actually use it.

        For those complaining about waiting till January for a fix, it takes a long time to find, isolate and fix these types of problems and you want them to take their time so they don't spawn 2-3 more in the process. If you've never hacked a Linux kernel trust me it's not something you want to try to change and debug in a hurry... :-)

        The author is going to release the exploit at some point but is giving the vendor time to release a patch prior to it's release we call this "responsible Disclosure" that's not to say someone may not find the bug and write an exploit in parallel but at least he gets credit for finding it and promises not to let anyone see the code till after it's fixed. Personally, as a pen tester I applaud them for that, but I'm also sure it will show up in Metasploit one way or the other around Christmas...

  7. Anonymous Coward
    Anonymous Coward

    Description is not all that great

    Maybe that's deliberate, but is this somehow a hole in the Terminal app, or is it in sudo? If the former, it only affects Apple, if the latter it affects all Linux/Unix unless Apple-specific changes left it vulnerable?

    Either way, I can't really see how either a hole in the Terminal app or sudo could be remotely exploitable as the article author suggests it possibly could be.

    1. elip

      Re: Description is not all that great

      I would guess neither of these. Likely there's some pre-sudo shim Apple has thrown into the mix to meet some wacky need to pacify their GUI madness. Just a guess. :-)

  8. Vector

    Really? January!?

    While I understand that a permanent (and elegant) fix may take this long, surely a quickfix of some sort could be cobbled together much sooner while that more permanent solution is developed.

    Even if the details aren't released by this researcher, I'm quite sure that he's not the only person smart enough to uncover it, particularly now that the flare that something exists has gone up.

    1. Anonymous Coward
      Anonymous Coward

      Re: Really? January!?

      The article states 'but details are to be withheld until January, giving Apple time to prepare a patch.'

      It doesn't say that Apple will not patch until January

  9. Henry Wertz 1 Gold badge

    What I'm interested in...

    What I'm interested in is how quickly Apple gets the patches out. They researcher has agreed to withold public disclosure *until*January, but hopefully Apple could patch something like this quite a bit quicker than that.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon