Rootpipe

Last updated

Rootpipe is a security vulnerability found in some versions of OS X that allows privilege escalation whereby a user with administrative rights, or a program executed by an administrative user, can obtain superuser (root) access. This is considered problematic as the first user account created under OS X is furnished with administrator rights by default. [1] By leveraging other security vulnerabilities on a system, such as an unpatched web browser, rootpipe could be used by an attacker to help gain complete control of the operating system. [1]

Emil Kvarnhammar of TrueSec, a security firm credited with the discovery, says that he found the vulnerability after several days of binary analysis. He recommends creating an account without administrative privileges to be used for normal everyday work and using FileVault. [1]

An older exploit for the same issue was later published on exploit-db, [2] suggesting the issue dates back to June 2010. It appears the exploit was used by the author during a presentation on Trusteer Rapport at 44con 2011. [3]

The vulnerability was reported to Apple Inc. in October 2014, [4] and has been reported as present in OS X versions 10.7.5, 10.8.2, 10.9.5 and 10.10.2. [5] OS X 10.10.3 was officially designated as patched by Apple, but Kvarnhammar (crediting Patrick Wardle) has blogged that the vulnerability is still present in that version. [6] [7] On 1 July 2015, Kvarnhammer noted that additional restrictions had been introduced in OS X 10.10.4, adding in a comment two days later that he believed the then-current versions of OS X 10.9 (with Security Update 2015-005) and 10.10 to be safe from the exploit. [8]

In November 2017, a similar vulnerability was revealed which allowed logging in as root with no password. [9]

Related Research Articles

<span class="mw-page-title-main">Exploit (computer security)</span> Compromising a computer system

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic. Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. In lay terms, some exploit is akin to a 'hack'.

Kerberos is a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client–server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

<span class="mw-page-title-main">Safari (web browser)</span> Web browser by Apple

Safari is a graphical web browser developed by Apple. It is primarily based on open-source software, and mainly WebKit. It succeeded Netscape Navigator, Cyberdog and Internet Explorer for Mac as the default web browser for Macintosh computers. It is supported on macOS, iOS, and iPadOS; a Windows version was offered from 2007 to 2012.

<span class="mw-page-title-main">Rootkit</span> Software designed to enable access to unauthorized locations in a computer

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the account is not the determining factor; on Unix-like systems, for example, the user with a user identifier (UID) of zero is the superuser, regardless of the name of that account; and in systems which implement a role based security model, any user with the role of superuser can carry out all actions of the superuser account. The principle of least privilege recommends that most users and applications run under an ordinary account to perform their work, as a superuser account is capable of making unrestricted, potentially adverse, system-wide changes.

<span class="mw-page-title-main">Privilege escalation</span> Gaining control of computer privileges beyond what is normally granted

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

sudo Command on Unix systems to temporarily assume root privileges

sudo is a program for Unix-like computer operating systems that enables users to run programs with the security privileges of another user, by default the superuser. It originally stood for "superuser do", as that was all it did, and it is its most common usage; however, the official Sudo project page lists it as "su do". The current Linux manual pages for su define it as "substitute user", making the correct meaning of sudo "substitute user, do", because sudo can run a command as other users as well.

Apple Open Directory is the LDAP directory service model implementation from Apple Inc. A directory service is software which stores and organizes information about a computer network's users and network resources and which allows network administrators to manage users' access to the resources.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

Przemysław Frasunek is a "white hat" hacker from Poland. He has been a frequent Bugtraq poster since late in the 1990s, noted for one of the first published successful software exploits for the format string bug class of attacks, just after the first exploit of the person using nickname tf8. Until that time the vulnerability was thought harmless.

<span class="mw-page-title-main">Pwnie Awards</span> Information security awards

The Pwnie Awards recognize both excellence and incompetence in the field of information security. Winners are selected by a committee of security industry professionals from nominations collected from the information security community. Nominees are announced yearly at Summercon, and the awards themselves are presented at the Black Hat Security Conference.

On Apple devices running iOS and iOS-based operating systems, jailbreaking is the use of a privilege escalation exploit to remove software restrictions imposed by the manufacturer. Typically it is done through a series of kernel patches. A jailbroken device permits root access within the operating system and provides the right to install software not available through the App Store. Different devices and versions are exploited with a variety of tools. Apple views jailbreaking as a violation of the end-user license agreement, and strongly cautions device owners not to try to achieve root access through the exploitation of vulnerabilities.

Apple ID is an authentication method used by Apple for iPhone, iPad, Mac and other Apple devices. Apple IDs contain the user's personal information and settings. When an Apple ID is used to log in to an Apple device, the device will automatically use the settings associated with the Apple ID.

iCloud Cloud storage and cloud computing service by Apple

iCloud is a cloud-storage and cloud-computing service from Apple Inc. launched on October 12, 2011. As of 2018, the service had an estimated 850 million users, up from 782 million users in 2016.

Gatekeeper is a security feature of the macOS operating system by Apple. It enforces code signing and verifies downloaded applications before allowing them to run, thereby reducing the likelihood of inadvertently executing malware. Gatekeeper builds upon File Quarantine, which was introduced in Mac OS X Leopard and expanded in Mac OS X Snow Leopard. The feature originated in version 10.7.3 of Mac OS X Lion as the command-line utility spctl. A graphical user interface was originally added in OS X Mountain Lion (10.8) but was backported to Lion with the 10.7.5 update.

The Java platform provides a number of features designed for improving the security of Java applications. This includes enforcing runtime constraints through the use of the Java Virtual Machine (JVM), a security manager that sandboxes untrusted code from the rest of the operating system, and a suite of security APIs that Java developers can utilise. Despite this, criticism has been directed at the programming language, and Oracle, due to an increase in malicious programs that revealed security vulnerabilities in the JVM, which were subsequently not properly addressed by Oracle in a timely manner.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

<span class="mw-page-title-main">System Integrity Protection</span> Security feature by Apple

System Integrity Protection is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

<span class="mw-page-title-main">Dirty COW</span> Computer security vulnerability

Dirty COW is a computer security vulnerability for the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.

<span class="mw-page-title-main">Meltdown (security vulnerability)</span> Microprocessor security vulnerability

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

References

  1. 1 2 3 Nadine Juliana Dressler (3 November 2014). "Achtung vor Rootpipe: Super-User-Rechte ohne Passwort am Mac".
  2. "Apple Mac OSX < 10.9/10 - Privilege Escalation". exploit-db. 13 April 2015.
  3. "Trusteer Rapport, Neil Kettle - 44CON 2011". youtube. 23 October 2011.
  4. "Swedish hacker finds 'serious' vulnerability in OS X Yosemite". Macworld. 31 October 2014.
  5. Fabian Scherschel (fab@ct.de) (2015-04-18). "Root-Lücke in OS X". C't. Heise. 2015 (10): 49.
  6. "OS X 10.10.3 still vulnerable". 21 April 2015.
  7. Krystle Vermes (21 April 2015). "Rootpipe continues: Former NSA staffer finds Mac vulnerability - Digital Trends". Digital Trends.
  8. "Exploiting rootpipe again". July 2015.
  9. "Apple rushes to fix major password bug". BBC News. 29 November 2017.