Serious security flaw in Apple’s Mac OS X Yosemite ‘Rootpipe’The ‘Rootpipe’ vulnerabilityWhite Hat hackingApple’s Response
— Emil Kvarnhammar (@emilkvarnhammar) October 16, 2014
The ‘Rootpipe’ vulnerability
An unknown security flaw in Apple’s operating system can allow hackers to take control of your computer. The backdoor has the working title ”RootPipe” – and was discovered by chance. Millions of Apple computers worldwide may be affected. Hackers can gain the highest possible access over your computer. Then they are free to install software or make changes to your system – without you noticing anything. This can lead to your passwords, pictures, emails or bank account information getting hijacked.
White Hat hacking
Emil found the vulnerability by accident or so he claims, “It all started when I was preparing for two security events, one in Stockholm and one in Malmö,” Emil says. “I wanted to show a flaw in Mac OS X, but relatively few have been published. There are a few ‘proof of concepts’ online, but the latest I found affected the older 10.8.5 version of OS X. I couldn’t find anything similar for 10.9 or 10.10.” Mac users tend to keep their OS more up to date than Windows users, he says, and he wanted to find a vulnerability that would affect current users, so he started digging around in the newer versions of OS X. “I started looking at the admin operations and found a way to create a shell with root privileges,” he says. “It took a few days of binary analysis to find the flaw, and I was pretty surprised when I found it.” He tested the vulnerability on version 10.8.5 of the OS and got it to work, he says. Then he tried on 10.9 but with no luck. “I was a bit dejected but continued to investigate,” Emil said. “There were a few small differences [in later releases] but the architecture was the same. With a few modifications I was able to use the vulnerability in the latest Mac OS X, version 10.10.” When he’s trying to find vulnerabilities in an OS, he said, he tries to get a feel for how the developer was thinking. In this case, Apple had migrated and moved some functions, but basically the same flaws remained. “Normally there are ‘sudo’ password requirements, which work as a barrier, so the admin can’t gain root access without entering the correct password. However, rootpipe circumvents this,” he says.
Apple’s Response
When Emil contacted Apple about the vulnerability he says, he was initially met with silence. However there was a flurry of correspondence with Apple asking for more details. After these details were sent, Apple asked TrueSec and Emil not to disclose until next January, which in essence means that the flaw exists unless Apple comes out with a statement denying that. Emil said, “The current agreement with Apple is to disclose all details in mid-January 2015. This might sound like a long wait, but hey, time flies. It’s important that they have time to patch, and that the patch is available for some time.” When asked by TechWorld Sweden about the vulnerability and specifics of the PoC, Emil cited the confidentiality clause with Apple, “I can’t get into that too much; I’ll get back to you when we can provide more information.” Meanwhile, he reported the issue to US-CERT, which may issue a advisory if it find the flaw ‘serious’. Meanwhile here is a video of his initial findings released by Emil :