Leveraging OS X Zero Day

Thursday, August 6, 2015 @ 09:08 AM gHale

Attackers are taking advantage of an Apple OS X operating system Zero Day to install adware and other applications.

The details of the security hole released two weeks ago by German researcher Stefan Esser, who did not notify Apple before making the findings public, but the company was aware of the issue because a South Korean researcher known as “beist” had reported the issue.

Workaround for .NET Bug
Zero Day for Apple App Store, iTunes
Mobile IE Zero Days
Microsoft Fixes New Windows Zero Day

Apple fixed the local privilege escalation vulnerability in the beta versions of OS X El Capitan 10.11, but not in current releases.

Researchers at antivirus firm Malwarebytes discovered an attack leveraging the vulnerability while analyzing a new adware installer. The attackers have been exploiting the flaw to modify “sudoers,” a hidden UNIX file that lists users authorized to run certain commands as other users.

By modifying the “sudoers” file, attackers can execute their installer with root permissions without requiring victims to enter their password. The installer, named “VSInstaller,” installs VSearch adware, the Genieo adware, and the MacKeeper software.

Once this happens, the installer directs users to the Apple App Store page of the Download Shuttle file downloader app.

“Hopefully, this discovery will spur Apple to fix the issue more quickly,” Malwarebytes researchers said in a blog post.

The local privilege escalation vulnerability disclosed by Esser relates to DYLD_PRINT_TO_FILE, an environment variable that enables error logging to arbitrary files. Apple introduced this feature in OS X 10.10.

“When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used,” Esser said. “Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system.”

“Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the file system. This allows for easy privilege escalation in OS X 10.10.x,” Esser said.