OS X Yosemite Still Vulnerable to Rootpipe Attacks
Posted on by Derek Erwin
Have you ever seen the movie, The Replacements? There’s this memorable quote by Shane Falco, played by Keanu Reeves, and I can’t help but imagine Apple must feel like they’re in a similar predicament. Like, as if stuck in quicksand and the harder they fight to get out, nothing they do is working.
“[Y]ou think everything is going fine. Then one thing goes wrong. And then another. And another. You try to fight back, but the harder you fight, the deeper you sink. Until you can’t move… you can’t breathe… because you’re in over your head. Like quicksand.”
Earlier this month, Apple claimed to have fixed the Rootpipe flaw—albeit only for OS X 10.10.3; Apple has no plans to patch older Macs (pre-Yosemite).
Yet for the Mac users Apple hadn’t snubbed, well, as Forbes’ Thomas Fox-Brewster reported, “Apple botched the patch anyway, so all Mac machines remain vulnerable to Rootpipe attacks.”
Say what?
Patrick Wardle, the director of research at Synack, was on a flight home when, much to his surprise, he found it was still possible to exploit the Rootpipe flaw on a “fully patched” OS X 10.10.3 platform.
This means Apple’s recently-released patch for the Rootpipe vulnerability (CVE-2015-1130) in OS X Yosemite 10.10.3 fails to resolve the underlining issue—all Mac OS X systems remain vulnerable to attack.
On his blog, Wardle said, “[O]n my flight back from presenting at Infiltrate (amazing conference btw), I found a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system.” He also created a video as evidence that Rootpipe is still exploitable on a fully-patched OS X 10.10.3 installation:
The good news is that Patrick believes in responsible disclosure, and, at this time, won’t be providing technical details of how to exploit the vulnerability.
The ball is back in Apple’s court.
While the security world awaits Apple’s response, it’s worth noting there is malware from 2014 that was already exploiting this vulnerability. XSLCmd malware contains the exploit code for both Mavericks and older OS X versions, and uses the exploit to activate the Accessibility API (hat tip to @osxreverser). Intego VirusBarrier detects this threat as OSX/XSLCmd.