New Local Privilege Escalation Vulnerability in Mac OSX Yosemite Discovered

A Critical Security Alert for macOS Users

A new vulnerability has been discovered in Mac OSX Yosemite (10.10.x), allowing attackers to gain full root privileges. The bug was identified by security researcher Stefan Esser and published on his blog.

The Vulnerability: DYLD_PRINT_TO_FILE

Apple recently added a new feature to the dynamic linker dyld, which enables error logging to an arbitrary file using the environment variable DYLD_PRINT_TO_FILE. While intended for debugging purposes, this feature poses a significant security risk.

How it Works

The DYLD_PRINT_TO_FILE environment variable allows attackers to create or open arbitrary files in the filesystem. Furthermore, since the log file is never closed by dyld and opened with the close on exec flag, the opened file descriptor is inherited by child processes of SUID binaries. This can be easily exploited for privilege escalation.

Exploitability

The exploitability of this vulnerability lies in its simplicity. The DYLD_PRINT_TO_FILE environment variable can be set to write arbitrary files owned by the root user anywhere in the filesystem. Child processes of SUID root processes can then write to these files, effectively gaining elevated privileges.

Proof of Concept and Fix

Security researcher Stefan Esser has released a proof-of-concept exploit code on his blog post. However, Apple has since fixed this vulnerability in OS X 10.11 (El Capitan) and Yosemite users can benefit from the SUIDGuard kernel extension, available on GitHub.

Important: Fix for Yosemite

To protect yourself against this vulnerability, please download and install the SUIDGuard kernel extension for Yosemite:

https://github.com/sektioneins/SUIDGuard

Note: The original metadata has been preserved.