New Local Privilege Escalation Vulnerability in Mac OSX yosemite Discovered by sektioneins reseasrchers , that allow an attacker to gain full root privileges . Security researcher Stefan Esser posted about this Bug on blog .
according to blog post “Apple added some new features to the dynamic linker dyld. One of these features is the new environment variable DYLD_PRINT_TO_FILE that enables error logging to an arbitrary file ,
this new feature allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x. ”
It allows the creation or opening (for writing) of any file in the filesystem. And because the log file is never closed by dyld and the file is not openes with the close on exec flag the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.
Security researcher Also release Proof of concept exploit code on his blog post , but after all that
Apple has fixed this vulnerability in the OS X 10.11 , also for Yosemite users , sektioneins released kext to disable all “DYLD_” environment variables from being recognized by the dynamic linker for SUID root binaries .
Fix for Yosemite : https://github.com/sektioneins/SUIDGuard