A hidden backdoor API in OS X versions older than 10.10 grants root access to a user with limited privileges and that Apple has patched, has been sitting in the operating system since at least 2011.
The vulnerability ended up patched in the latest round of security updates from the company on Wednesday, but because solving the problem (CVE-2015-1130, dubbed “rootpipe”) required a large number of changes, the fix has not been back-ported to builds 10.9.x and earlier.
In December 2014, the vulnerable OS X versions (10.9, 10.8 and 10.7) accounted for 43 percent of the platform’s install base. In the global OS context, in March 2015, revision 10.9 was still in use by 1.61 percent of the users.
Swedish security researcher Emil Kvarnhammar discovered the flaw was present in the Admin framework of Apple’s OS.
“The intention was probably to serve the ‘System Preferences’ app and systemsetup (command-line tool), but there is no access restriction. This means the API is accessible (through XPC) from any user process in the system,” Kvarnhammar said in a blog post.
Exploiting the hole requires physical access to the device, although it can also end up leveraged remotely, when combined with other remote code execution exploits.
The bug ended up privately disclosed to Apple in early October 2014, and later that month, Kvarnhammar provided the exploit code to the company.
Apple made more than one attempt to eliminate the bug and was able to issue a proper fix only in OS X 10.10.3. The first release of the patch occurred in OS X 10.10.2, which proved to still be vulnerable.
During the research, Kvarnhammar initially managed to elevate access rights to “root” only in the case of admin accounts. A “root” account has full control of the machine, with read and write permissions in any area of the system.
It is not present in the Users & Groups, Users, or Accounts preferences, and it can end up enabled only by someone with an administrator account, which most Mac users have because the computer’s admin is usually the operator.
However, Kvarnhammar managed to find a way to extend the exploit to regular accounts too, which have much fewer privileges on the system.
“But I actually found a way to make it work for all users later, which means that the exploit is no longer limited to admin accounts only. It is as simple as sending nil to authenticateUsingAuthorizationSync instead of using the result of [SFAuthorization authorization],” he said in the blog.