A Tweet-Sized Exploit Can Get Root On OS X 10.10 130
vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet.
The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer.
This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits:
Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."
Sarcasm... (Score:4, Insightful)
No, you're the one that's stupid, because you failed to see that the OP was being sarcastic.
Re: (Score:1)
See..... (Score:5, Funny)
Twitter is bad for you. At least if you're a Mac user.
Re: (Score:2)
Re:See..... (Score:4, Interesting)
I could not imagine a metrosexual urban hipster at burning man. lol. my favorite part about the event is that there are actual signs that say "no shirtcocking". it's ok to be clothed, it's ok to be naked, but to wear a shirt and no bottoms is creepy.
Re: (Score:2)
I've wondered about that... what about just wearing chaps & a stetson? :-)
Re: (Score:2)
I've wondered about that... what about just wearing chaps & a stetson? :-)
Aesthetically acceptable and there are probably camps that cater to your particular hobbies.
Re: (Score:2)
Meh. My "hobbies" at burning man involved doing the naked-bike-ride, drinking a lot, trying to avoid the dust and enjoying the art.
Re: (Score:2)
Butt-hurt hipster garbage detected !!
Re: (Score:2)
I believe it was a joke...
Funny-but-true: A buddy I work with tried that on a developer's MacBook Pro today. He wound up munging /etc/sudoers instead. Now they're currently trying to figure down how to get a live distro running that can mount Mac filesystems so they can fix that. It's kind of hilarious from my POV..
Overall, if you already have physical access to the box, it's game-over anyway, and given the astronomically tiny percentage of Macs running OSX 10.10, that has sshd running, and happens to be on
Re:See..... (Score:5, Informative)
Now they're currently trying to figure down how to get a live distro running that can mount Mac filesystems so they can fix that. It's kind of hilarious from my POV..
I thought Macs still supported target disk mode [wikipedia.org]. So all you have to do is boot holding T while it's connected via Firewire or Thunderbolt to another Mac/PC and its internal drive shows up as a disk drive.
I guess if they want to waste a day using the wrong tools, they can go ahead.
Re:See..... (Score:4, Informative)
You can also just boot from an OS X image, for example download the OS X installer extract the installESD.dmg file ( typing from memory but pretty sure that is the name ), install that to a USB drive and boot from it holding the option key when the computer starts up. ( again typing from memory might be command-option or the like ) In fact depending on the age of the computer it might already have a recovery partition that you can just boot directly from and then launch disk utility to mount the main partition and terminal to fix it.
Re: (Score:2)
That's a lot more trouble since you still need another working Mac and the other Mac is already unbooted anyway. I think maybe you started typing that thinking about OS X DVD media and realized how much trouble it really is now while you were typing that out.
Re: (Score:2)
Yeah booting from media is harder than it used to be, though single user mode and recovery partitions do most of it anyways. ( I actually run a netboot server myself, so just have to boot via network at worse. )
Re: (Score:2)
Re: (Score:2)
Now they're currently trying to figure down how to get a live distro running that can mount Mac filesystems so they can fix that. It's kind of hilarious from my POV..
I thought Macs still supported target disk mode [wikipedia.org]. So all you have to do is boot holding T while it's connected via Firewire or Thunderbolt to another Mac/PC and its internal drive shows up as a disk drive.
I guess if they want to waste a day using the wrong tools, they can go ahead.
They do. I thought it went away with FireWire; but it didn't. In fact, I think you can do it over WiFi, too, using AirDrop [apple.com]. That's exactly the way to do it. Just use another Mac.
Re: (Score:2)
Why not just use the root account and edit the sudoers file directly? Seems like fussing about with distros is a bit of yak shaving. Switch accounts, login as root. All my Macs have a root account with a passwd set, like something a sysadmin would do.... You do have a root account with a passwd set, don't you?!
Nearly zero Macs have login for root enabled. It's part of their security measures. You can do it; but almost no one ever does, instead relying on sudo to temporarily grant those privileges to those on the sudoers list.
Re: See..... (Score:1)
What worries me is that we're now using tweets as a measurement unit... peoole don't even know what an SMS is anymore nor why it was limited in characters to what it was.
Re: (Score:3)
The SMS size limit is different depending on the network/carrier. Tweets are a standard size (to hit the LCD of SMS carriers).
Re: (Score:1)
Twitter is bad for you. At least if you're a Mac user.
True as the average user has the attention span of a twitter user.
Esserwhich? (Score:3)
It's just Stefan Esser, as far as I've known for the last decade.
Misleading and Hyperbolic Title/Comparison (Score:5, Interesting)
Fact[0]: The code for this exploit could fit within a tweet (which is to say: 140 characters.)
Fact[1]: Despite referring to tweets and Twitter, this exploit can't occur via Twitter. The attacker already has to have local access.
A lot of security exploits could fit within a tweet, but I've never seen that comparison before. It misleads people into thinking that you can pwn a Mac via Twitter.
Re:Misleading and Hyperbolic Title/Comparison (Score:5, Funny)
A lot of security exploits could fit within a tweet, but I've never seen that comparison before.
You're right .. they should have specified it in pico Libraries of Congress. At least that's a unit of measurement that most people here would understand.
Re:Misleading and Hyperbolic Title/Comparison (Score:5, Funny)
You're right .. they should have specified it in pico Libraries of Congress. At least that's a unit of measurement that most people here would understand.
So says you. I'm working on a patch for ext4 right now to display file sizes in kilotweets, megatweets, and teratweets.
Re: (Score:2)
Re: (Score:2)
You're right .. they should have specified it in pico Libraries of Congress.
Bullshit - mopeds full of backup tapes is the new standard for that size range now.
Re:Misleading and Hyperbolic Title/Comparison (Score:4, Insightful)
Furthermore, local access pretty much is the end of the road anyway. Boot from the right CD with a custom filesystem that ignores HD filesystem permissions and yet allows you to set them any way you want, system is now wide open. Replace a few choice commands that you know are going to run, and bang, fully compromised. And that's just one of the many easy ways in to access as the system stands. You can also copy off the entire HD, or for that matter, erase it. Or both. You can compromise a command for a way in, copy an otherwise encrypted volume and walk off with it, break the encryption at your leisure, then use the previously installed compromise to get in and cause mayhem.
If you don't have physical security and there is any kind of local threat of compromise, you could become toast at any time. These kinds of "threats" are insignificant in the larger scheme of things. If you need local security, the only sufficient mechanism is to physically deny access to the computer.
Re: (Score:1)
Well it is a privilege escalation exploit. All you need to do is get a user to run code in their context either by using social engineering or some other exploit.
Many exploits don't have much room to work with and a very small privilege escalation routine can help the bad guys keep their payload size down, which is important.
Re:Misleading and Hyperbolic Title/Comparison (Score:5, Informative)
Well, that and get them to configure and launch sshd... it's off by default on OSX.
Re: (Score:2)
sshd doesn't need to be running to get a user to run code in their context by social engineering or some other exploit.
Re: (Score:2)
Re: (Score:2)
Seems like it is: "the attacker already has to have local access"
That's what I was working off of, anyway.
Network-imposed exploits are something else entirely.
Re: (Score:1)
""the attacker already has to have local access"
No they don't. They just need to get this line to run:
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
You don't have to have physical access to the computer. The line of code just needs to run and game over.
Re: (Score:3)
I do agree that it isn't a remote root shell hole, but it can be combined with something like the SSH brute force vulnerability or another attack that can execute shell commands as an unfettered user... and then the box is compromised.
The good thing is that Macs have functionality similar to SELinux as well as sandbox capabilities via the App Sandbox. This should be something used by all programs whenever possible, since it allows the OS to isolate the program from the rest of the filesystem and OS, helpin
Re: (Score:2)
Err, in order for an SSH brute force vuln to work against a Mac, sshd has to be on (it's not - you need to go to System Preferences -> Sharing, enable Remote Login, and then include the specific users in "Allow Access For..." )
Re: (Score:2)
Hopefully Apple can issue a fix in a short amount of time, because this is an easy exploit to use, and combined with something like a broken Java variant, could be used via the Web browser to hijack the entire box.
According to TFS, the exploit is already patched in betas of El Capitan, and according to TFA, there is already a patch available (albeit not from Apple itself) for Yosemite, where the vulnerability first appeared.
Re: (Score:2)
Cowardly AC here...
I personally find Apple actually on the ball when it comes to getting stuff fixed. MS was fast patching the font bug, but Apple hasn't been a slouch getting updates out either.
Now, if Apple could actually start trying to get their foot in the door in the enterprise, things would be interesting.
Yes, I hope that the ghost of the dear-departed Mr. Jobs doesn't prevent Mssr. Cook from seeing that.
Maybe even bring back a version of XServe, and (finally!) give OS X Server some much-needed love! I mean, FFS, it's a damned Certified UNIX OS! Just because it uses a different GUI and is closer to BSD than it is to Linux (no wars, please!!! I said "CLOSER"), and that parts are closed-source should be of no moment.
Re: (Score:2)
Except if you have SuperUser access, there are no sandboxes... Or did you not understand the definition of SuperUser?
Oh wait, you're defending them... of course you are.
Wrong. There are still Application sandboxes, regardless of the user's credentials. Some apps that need to have semi-permanent sudo permissions require you to login with them everytime you launch the app, or sometimes will store an Admin password that you supply one time.
And in the case of "root", pretty much NO Macs have the login for "root" enabled. So that's right out.
Re: (Score:2)
Re: (Score:2)
Furthermore, local access pretty much is the end of the road anyway.
Physical access is usually the end of the road. This exploit doesn't need that, it just needs shell access. Any exploit that allows execution of code in a user's own context can be escalated to root access by this exploit.
Re: (Score:2)
How do you get shell access on your average Mac without physical access? SSH isn't enabled by default as has been pointed out. In fact, it's been a real PITA to get the versions of OS X I've configured to play nice on the network for the command line. I doubt one user in a thousand has done it -- slashdot mac users not being significantly representative of the average mac users, of course. My macs have SSH available, but the port isn't open to the Intertubes outside of my LAN, so it doesn't concern me very
Re: (Score:2)
I hate to repeat myself, but: Any exploit that allows execution of code in a user's own context can be escalated to root access by this exploit.
So.. Your PDF reader has an exploit that allows code execution. Without the dyld bug, the PDF bug only allows code to execute in the user's context. With the dyld bug, the PDF bug can give itself passwordless sudo access, and execute shell commands as root.
Re: (Score:2)
Ah now I understand how it works. But we can count on Apple to have it fixed by the time El Capitan is out, which is in four months or so?
Re: (Score:2)
If you don't have physical security and there is any kind of local threat of compromise, you could become toast at any time. These kinds of "threats" are insignificant in the larger scheme of things. If you need local security, the only sufficient mechanism is to physically deny access to the computer.
And don't forget that pretty much ANY *NIX OS would fall prey to this type of exploit, right? Once you have physical access, pretty much all bets are off with a sufficiently-talented attacker.
Re: (Score:2)
Exactly so.
Are You Sure? (Score:3)
Local application access!
I'm still trying to determine if this would be effective JavaScript Shell [mozilla.org]
You just have to be able to set an environment variable no matter who you are and you're root. It's just a question if FireFox has its own "environment" or relies on an under-privileged UNIX account.
From what I can tell, this is a wide-open window. Huge, huge, flaw.
Re: (Score:3, Informative)
well considering the last exploit was related to special characters in a text message, it's reasonable that the person who didn't read the article would make that mistake.
But yes, you'd need to be at the box locally for this to be worrisome. I work at a university who's still in the process to migrating people from MAC to PC, so there's tons of apple tech on site, this bug would allow anyone, student, janitor, some dude of the street, to walk up to a machine, login as guest to view the web, then own root.
I
Re: (Score:3)
Or, you just need someone gullible to be at the box locally.
Given that we're talking about Apple products, it might be cause for concern.
Re: (Score:2)
But yes, you'd need to be at the box locally for this to be worrisome. I work at a university who's still in the process to migrating people from MAC to PC
Pray tell, how many executive-level blowjobs from the MS Reps. did THAT take?
Or did the student body unanimously vote to ditch OS X for the wonderful user experience that is The-Interface-Formerly-Known-As-Metro?
Re: (Score:2)
you'd need to be at the box locally for this to be worrisome
No, you wouldn't. On an unpatched box, this elevates any remote code execution bug into a remote root exploit.
Re: (Score:1)
I have an exploit that fits in a tweet, too... (Score:2)
A lot of security exploits could fit within a tweet, but I've never seen that comparison before. It misleads people into thinking that you can pwn a Mac via Twitter.
My exploit to load unsigned drivers on Windows 8, 8.1 and 10 even with Secure Boot enabled fits in the length of a tweet. I'll release it whenever WinPhone 10 comes out, probably.
Re: (Score:3)
"sudo rm -rf /" also fits in a tweet. It will even ask for the password which their exploit isn't capable of.
Re: (Score:2)
Uh... the exploit doesn't need to ask for a password. That's the point. Anyone who can execute any shell command can gain root privileges.
Re: (Score:2)
Yeah, sooome days.
In my defense, have you seen some of the explanations that people offered for how the exploit actually works? I didn't think it was that hard to understand, but man, dang.
Re: (Score:2)
Not everybody here is as computer savvy as you.
Re: (Score:1)
It misleads people into thinking that you can pwn a Mac via Twitter.
Challenge accepted!
Explains It (Score:2)
Lost control of my keyboard twice this week.
Discovered the Mac's firewall was down. But couldn't find any history on the keyboard getting redirected to remote address.
I was ready to chalk it up to a bad driver update by Apple, but I should probably assume I've been rooted.
Re:Explains It (Score:4, Insightful)
Is it a wireless keyboard? Could the um, batteries be going out? Or maybe Bluetooth interference?
I'm just not sure I'd jump straight from malfunctioning keyboard to rooted, even if my firewall wasn't up. Is your router even forwarding any ports to your Mac?
Re: (Score:2)
MacBook Pro -- integrated keyboard.
Happened twice: once after sitting idle for a few minutes with a web page open (did not enter sleep mode), the other on boot at the login screen.
The fact it happened on boot is what made me dismiss it as a possible update issue.
No ports being forwarded, but after seeing this anything that exposes a unix account and allows any environmental variable to be set (even one for the app's own private shell) would be able to core this apple. Redirecting a shell to a remote IP is
Re: But can it be a Tweet? (Score:5, Informative)
Re: But can it be a Tweet? (Score:5, Informative)
It's a hip way of saying small. He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root.
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
He found that invoking DYLD_PRINT_TO_FILE runs as root, and as such can allow a user to write to /etc/sudoers, giving the user sudo privileges, letting them sudo to root.
echo 'echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3' | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s
Small correction. DYLD_PRINT_TO_FILE doesn't run as root, it just tells the dynamic library where to write error logs. The problem is it is accepted and used by child processes, even setuid ones, so by setting the environment variable, then calling sudo (which runs as root) with an invalid argument that will cause an error to be logged, he can create or append to any file on the machine he wants. He used the sudoers file for his example, but I am sure there are many other possibilities.
BTW, this is a similar exploit to the LD_LIBRARY_PATH exploit from many years ago where you could get a setuid program to use your dynamic library instead of the system one, thereby getting your code to run as root. It was fixed by having the loader check if the program uid doesn't equal euid and if so ignore the LD_LIBRARY_PATH variable. Apparently programmers at Apple are guilty of not learning from history and are therefore repeating it.
I still don't understand (Score:2)
That command is a riddle and, forgive me, but I think your explanation is wrong.
the final sudo -s is not there to create an error. it's a perfectly fine command and is that to just make you root on the spot.
I think a partial explanation of what goes on is this:
the first bin just creates the text you want to shove into the sudoers file. that's clear enough.
the pass to >&3 is saying send this text to file descriptor 3. This doesn't exist..yet...but it will shortly.
So how does the file open happen? We
Re: (Score:2)
newgrp [apple.com] doesn't exit it but executes a child shell which replaces the newgrp process. It's within shell that has access to file descriptor 3.
For why the file needs to have the same setuid is that is what the exploit takes advantage of, normally writing to a setuid file clears the setuid bit, but that doesn't happen if the writer is already root. Which means that using the exploit ( and some tricks to get out of append mode ) someone can turn a setuid file into any program that will run as root when it is lau
Re: (Score:2)
setuid is for executables. /etc/sudoers is root owned/readable but it's not executable, so there's no set UID on this file. I think the exploit you are describing is acutally another clever way to achieve a root priv escalation. using sudoers is more direct but also perhaps easier to detect.
Re: But can it be a Tweet? (Score:4, Informative)
When you run the example exploit command (simplified): /etc/sudoers open as file descriptor 3.
Your shell sets the DYLD_PRINT_TO_FILE variable.
Your shell executes newgrp. newgrp is SUID root.
As newgrp is initializing, the dynamic linker opens the value of DYLD_PRINT_TO_FILE (/etc/sudoers) for debug log output. It should check whether it is executing in a SUID context, but doesn't. It should also set the close-on-exec flag for that file, but it doesn't do that either. The log file is now file descriptor 3.
newgrp sets its uid and gids as appropriate for the calling user, and then starts a new shell. Because the close-on-exec flag wasn't set, the new shell still has
The new shell reads commands from stdin. In this case, it gets "echo "$(whoami) ALL=(ALL) NOPASSWD:ALL" >&3".
There is no more input, and the shell exits.
Your shell runs sudo. The sudoers file has been modified, and now says that you have the right to run all commands without being prompted for a password.
You get a root shell.
Please explain more (Score:3)
Reading the explanation here: https://www.sektioneins.de/en/... [sektioneins.de]
I don't fully understand how it works, but it seems to be more complex than what you just said. I suspect it depends on a parent process inheriting a child procesess setuid for accessing a file.
the bash script however is a riddle to me. I don't understand how the pipe to channel 3 ends up in the /etc/sudoers file. Where does channel 3 go. I suspect the newgrp statement is there to just be any process which does a setuid as root. Not sure.
Re: (Score:2)
newgrp is a setuid binary. During the startup of that process, if the vulnerable environment variable is set, dyld will open the requested file. Since stdin=0 / stdout=1 / stderr=2 should be the only open files, the next available file descriptor would be 3. So open() should give dyld that file descriptor.
newgrp will then drop it's privileges and run your shell, perhaps by calling exec() without forking another process. Since the file wasn't specified to close on exec, the shell will inherit the open file
Known vulnerability? (Score:4, Interesting)
Makes me wonder how many known vulnerabilities Microsoft / Apple / Google have on their buglist that will only be fixed when they become publicly known.
Re: (Score:2)
is that by luck or design?
We don't know. It's plausible that the code was cleaned up without considering the security aspects of the change.
Twit (Score:2, Insightful)
As small as a tweet and still too big to fit in the summary.
Negative (Score:5, Interesting)
Re: (Score:3)
Just tested this on my Mac in OS X -- grants root level access immediately.
Yup - even if you're a non-privileged user.
Since most people are running with administrator accounts (which is dumb), I thought that might've been necessary - but it worked from an account that didn't have sudo access.
Re: (Score:2)
It doesn't work for me, as I have sudo setup to require my Yubikey, but that'd be a small speedbump, since the same exploit could be used to change the /etc/pam.d/sudo config...
Re: (Score:2)
It also modifies your sudoers file, which you might want to modify back again once you're tried it out.
I mean, you probably know that, but other people who run it may not, and it does rather leave you wide open even if this exploit is one day fixed.
Re: (Score:2)
Unless Apple addresses this -- all Macs are wide open regardless.
But testing as "guest" or "nobody" would leave the system open without having to append the sudoers file first -- so agree: clean up after testing.
Oh ffs. (Score:5, Funny)
Well done. You realise that this story will be reported in tomorrow's Daily Mail as 'Twitter Steals Apple Users' Bank Details'?
Re: (Score:1)
Calm yourself. No one pays attention to Slashdot anymore. This isn't like a decade ago when /. was in the top 10 tech sites. Today it would fit somewhere between 1337warez123.ru and Bob's FTP Commands Cheatsheet on GeoCities.
Re: (Score:1)
Calm yourself. No one pays attention to Slashdot anymore. This isn't like a decade ago when /. was in the top 10 tech sites. Today it would fit somewhere between 1337warez123.ru and Bob's FTP Commands Cheatsheet on GeoCities.
Phil's CheatSheat on angel fire was sooo much better.
How the hell does this get into live software? (Score:1)
This is one of the stupidest security holes I have ever seen. Ever. How does a company with the resources of apple not spot this. Not even spot it, what kind of retard decides to implement something like this. Let's link a publicly modifiable ENV to a setuid system program and allow it to write wherever the fuck it want without authentication. Wut? Apple put on the dunce cap, we know your security is shit but this is way beyond ridiculous.
Re: (Score:1)
Re: How the hell does this get into live software? (Score:5, Interesting)
The bug is stupid. No doubt about that. But it's not quite as stupid as you think.
The bug is not actually in the setuid application, but it is in the system wide dynamic loader that is needed to execute the setuid application.
So, a naive programmer could be excused to think that they don't need to worry about security as it is not immediately obvious that the code executes with elevated privileges.
Of course a more seasoned developer should have noticed. It's not that difficult to spot, especially as dynamic loaders are known to have had security bugs before. I think even Linux was affected at one time.
Re: (Score:2)
I think even Linux was affected at one time.
Yes. The Linux dynamic linker had a list of environment variables that it cleared when executing in a SUID context, for security. A comma was removed from the list, which caused the compiler to concatenate two of the strings. The result was that neither of those two variables were cleared, and so "LD_PRELOAD" could be used to load a replacement shared library into a SUID binary.
Re: (Score:2)
You're welcome (Score:5, Informative)
Re:You're welcome (Score:5, Informative)
Some folks were asking how this works, so here goes:
newgrp is a UNIX utility that executes a shell with a new group ID (UNIX specification page: http://pubs.opengroup.org/onli... [opengroup.org]). This requires root permission since it can change the group ID to one outside the current shell's group list (e.g. to any group in the uid's group list). Therefore, newgrp is a setuid root application which launches a shell.
DYLD_PRINT_TO_FILE is a dyld (OS X dynamic linker) environment variable that tells dyld where to print debugging information. Ordinarily, dyld supports a large number of debugging options to facilitate debugging shared libraries and to allow neat tricks like DYLD_INSERT_LIBRARIES (equivalent to LD_PRELOAD on Linux). When dyld sees this environment variable, it opens a new file descriptor connected to the specified file. Since fds 0,1,2 are already connected to stdin, stdout and stderr, the file is opened as fd 3.
Notably, since newgrp starts as root, the file is opened using root's permissions, even though newgrp later drops privileges to spawn the shell.
Because DYLD_ environment variables can modify a program's behaviour in unexpected ways, they are usually deleted or sanitized prior to running setuid programs (because otherwise an unprivileged attacker could cause a setuid program to misbehave, exactly as in this exploit). Apple clearly forgot to sanitize the new DYLD_PRINT_TO_FILE when shipping Yosemite, opening this particular flaw up.
Finally, the (outer) echo command tells the subshell spawned by newgrp to execute the (inner) echo command, which outputs the string "$(whoami) ALL=(ALL) NOPASSWD:ALL" into fd 3, which (due to the DYLD_PRINT_TO_FILE variable) is /etc/sudoers. This line tells sudo that *any* account is allowed sudo access, and that no password is required to use sudo.
The subshell then exits (no more commands to run), and the final command "sudo -s" executes. Since sudo no longer requires a password, and all accounts can use sudo, "sudo -s" just immediately opens a root shell without prompting.
Re: (Score:2)
$(whoami) ALL=(ALL) NOPASSWD:ALL
It only grants the current user (result of `whoami`) full sudo access, not every account.
Re: (Score:2)
Apple clearly forgot to sanitize the new DYLD_PRINT_TO_FILE
They also forgot to set the close-on-exec flag for the file they open. If they had done that, then at least only the SUID application would be a target, instead of the SUID application and any child process.
which outputs the string "$(whoami) ALL=(ALL) NOPASSWD:ALL" into fd 3
Actually, $(whoami) will be executed and its output substituted by the shell. The username of the user will replace that string, so root access will be granted by sudo only to the user that runs the exploit, not to all users. This would give root access to all users:
echo 'echo "ALL ALL=(ALL) NOPASSWD:
What? (Score:1)
Re: (Score:2)
My security expert is Ron Jeremy and he disagrees.
Re: (Score:2)
Because there's never security holes in beta software...
Agreed, that statement from TFA is pretty stupid.
Re: (Score:2)
From TFA
"This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5. If you upgrade to the El Capitan beta (OS X 10.11), you'll be free from the vulnerability as Apple has already fixed it in that preview beta. Once again, if you keep up with Cupertino and install (or buy) the very latest stuff, you'll be rewarded."
lolwhat? That statement is ridiculous. Since when unstable beta is considered keeping up with updates. Well unless "rewarded" is meant as synonym to pwned.
Because there's never security holes in beta software...
Agreed, that statement from TFA is pretty stupid.
The ridiculous part isn't the security holes in beta software. It's that the article assumes beta software is "the latest updates" or that you can get it pre-installed when you buy the latest hardware.