Serious Security Vulnerability - Rootpipe

[Tucom]

Anyone know the story with this?

http://www.intego.com/mac-security-blog/rootpipe-hacker-mac/

Couldn't find any info if it's been patched yet.

 

[maflynn]

Its an actual vulnerability if you just google os x rootpipe. All the articles are dated Nov 2014. So two things may be surmised. It was a flash in the pan type of hysteria, i.e., it made major news then people got bored with it because it wasn't that feasible or Apple patched it. I'm inclined to believe the latter, though I failed to see anything on the google about apple addressing it.

The vulnerability is such that it does not appear to allow people remotely to escalate their privileges, so someone has to be at the desk, so I'd thing in the world of security it may not be the most important but to be honest, I haven't read up on it that much.

 

[Tucom]

Its an actual vulnerability if you just google os x rootpipe. All the articles are dated Nov 2014. So two things may be surmised. It was a flash in the pan type of hysteria, i.e., it made major news then people got bored with it because it wasn't that feasible or Apple patched it. I'm inclined to believe the latter, though I failed to see anything on the google about apple addressing it.

The vulnerability is such that it does not appear to allow people remotely to escalate their privileges, so someone has to be at the desk, so I'd thing in the world of security it may not be the most important but to be honest, I haven't read up on it that much.

Thanks for the reply. Yeah that's how I came across this article. As for Apple patching it, as I just read on Apple's own forums, we most likely would have heard something about it either from the hacker himself or Apple letting us know that the vulnerability has been patched. So I highly doubt it has been, but I hope I'm wrong.

 

[simonsi]

Its a real vulnerability but in the real world you need to already have a compromised machine in that you need:

An admin account AND
Remote access or local (physical) access.

If someone already has remote access into an Admin account on your machine then them escalating that access to root is, frankly, the least of your problems.

This vulnerability cannot escalate a user account to admin, nor can it create a remote access route where none exists.

So I'd go with the "temporary hysteria" theory...

 

[Tucom]

Its a real vulnerability but in the real world you need to already have a compromised machine in that you need:

An admin account AND
Remote access or local (physical) access.

If someone already has remote access into an Admin account on your machine then them escalating that access to root is, frankly, the least of your problems.

This vulnerability cannot escalate a user account to admin, nor can it create a remote access route where none exists.

So I'd go with the "temporary hysteria" theory...

Problematic still, and should still be patched ASAP by Apple.

I just wonder how much of an issue it would for a user who would run a regular Admin account and any real world risk associated with that?

Do you know if it would be advisable to, at least until this gets patched, run a non-Admin account, or is there really no need to worry?

And you say "remote access route where none exists" - just curious what you mean by that, could you explain further? Unless you mean if no remote access is already established and you happen to run across this Rootpipe vulnerability on your Mac, then there's nothing it can really do? I'm honestly curious about this whole thing, and security of OS's in general.

 

[simonsi]

Problematic still, and should still be patched ASAP by Apple.

And you say "remote access route where none exists" - just curious what you mean by that, could you explain further? Unless you mean if no remote access is already established and you happen to run across this Rootpipe vulnerability on your Mac, then there's nothing it can really do? I'm honestly curious about this whole thing, and security of OS's in general.

Apple will patch it, may have done so, may or may not announce when they have done so.

The exploit raises the permissions of an existing Admin account on your machine to Root. You can do this any time by command and you won't "run across it" accidentally.

For a hostile party to exploit it they must compromise an existing Admin account, either by accessing it on your keyboard, or by creating or compromising an existing remote login to an Admin account on your machine.

So if you don't leave your machine unattended and unsecured, you don't give out your Admin account password, and don't run an unsecured remote access facility then you have little to worry about.

The point I was making was that if someone has compromised a remote access method onto your machine then they can do enormous damage to YOU without worrying about this exploit, that is only useful if they want to do something with your machine.

 

[Tucom]

Apple will patch it, may have done so, may or may not announce when they have done so.

But again, if it were patched already we probably would have heard about it by now from either Apple themselves, or if not Apple, then most likely from the hacker/security tech himself. Again, I hope I'm wrong and I hope that it has been patched already.

The exploit raises the permissions of an existing Admin account on your machine to Root. You can do this any time by command and you won't "run across it" accidentally.

I know there's sudo. Regarding not running across it accidentally, how would you know if your Admin account has been escalated then, like what would make it obvious if you're dealing with this Rootpipe issue or anything else similar with mal intent?

For a hostile party to exploit it they must compromise an existing Admin account, either by accessing it on your keyboard, or by creating or compromising an existing remote login to an Admin account on your machine.

Is there a way to totally disable any remote login APIs or frameworks or anything relating to it?

The point I was making was that if someone has compromised a remote access method onto your machine then they can do enormous damage to YOU without worrying about this exploit, that is only useful if they want to do something with your machine.

Yeah that's what I figured you meant, but kind of damage? Personal info, keylogs and thus further bank account info etc. stuff like that without "having to worry about this exploit"?

 

[simonsi]

how would you know if your Admin account has been escalated then, like what would make it obvious if you're dealing with this Rootpipe issue or anything else similar with mal intent?

If it has been escalated then it is already too late depending on what intent the attack had. Remember nothing has been seen in the wild about this, the vulnerability is there but only a permissions escalating exploit, <why> some one would use it and what they would do with the access if they had it is unknown and may vary wildly from attack to attack. It is a bit like losing your front door key to a criminal, what kind of harm might be done depends on the criminal, not on how you lost your key.

Is there a way to totally disable any remote login APIs or frameworks or anything relating to it?

Probably not if you still want remote access to your machine (e.g. via BacktoMyMac or Teamviewer etc). Best IMHO to run Little Snitch and check what is trying to send data to/from your machine and block/allow on that basis.

Yeah that's what I figured you meant, but kind of damage? Personal info, keylogs and thus further bank account info etc. stuff like that without "having to worry about this exploit"?

See above, depends on what they want to achieve. No examples to date have been seen in real usage. TBH much easier to harvest via phishing email than to use this exploit.

 

[Tucom]

-

----------

If it has been escalated then it is already too late depending on what intent the attack had. Remember nothing has been seen in the wild about this, the vulnerability is there but only a permissions escalating exploit, <why> some one would use it and what they would do with the access if they had it is unknown and may vary wildly from attack to attack. It is a bit like losing your front door key to a criminal, what kind of harm might be done depends on the criminal, not on how you lost your key.

But incase it isn't obvious, is there any way at all to tell if you've been compromised like this?

Thank you man for all this info, I'm still learning quite a bit about the in depth of OS security, always new things to learn.

 

[simonsi]

But incase it isn't obvious, is there any way at all to tell if you've been compromised like this?

No idea, you are speculating about something that hasn't been seen yet.

With such an attack the perp could cover their tracks with ease so maybe you wouldn't ever know...

 

[Tucom]

No idea, you are speculating about something that hasn't been seen yet.

With such an attack the perp could cover their tracks with ease so maybe you wouldn't ever know...

Ok, well given what you mentioned about the prerequisites needed to accomplish such an attack I guess there's really nothing to worry about?

Also, just curious, if it hasn't been seen yet, how do you know they could cover their tracks "with ease" ?


May look into shutting ports down as I could care less about remotely interacting with my Macs. One Mac is already non-Admin, but may go ahead and just go Admin, IDK. Do you run your accounts as Admin or non-Admin and why, if you don't mind me asking?

 

[simonsi]

Also, just curious, if it hasn't been seen yet, how do you know they could cover their tracks "with ease" ?

Because with root access you can pretty much replace or rewrite any log file you choose...

I run my account as Admin with a strong password as one layer of security, Gatekeeper set to Trusted Developers and I practice safe computing habits...among other things.

 

[mgroover]

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

Only patched in 10.10, 10.9 is left in the cold, and it does not require your user to be in the admin group to run.

Combine this with any of the remote exploits patched in the latest SA and you can have a very big and real issue at hand. Did anyone say OSX botnet?

Very nasty indeed and there is already a metasploit module available for this...

 

[chrfr]

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

Only patched in 10.10,

To be more specific, it's only patched in 10.10.3. Anything earlier is vulnerable.

 

[mgroover]

To be more specific, it's only patched in 10.10.3. Anything earlier is vulnerable.

Thanks for the correction

 

[Zedcars]

Does anyone know what the real-world chances of being targeted by this vulnerability exploit for an average non-professional user? Is this really that likely?

I would like to know, in layman's terms, how you can be targeted. Would just logging out as admin and logging in as a standard user be enough to prevent an attack?

 

[chrfr]

I would like to know, in layman's terms, how you can be targeted. Would just logging out as admin and logging in as a standard user be enough to prevent an attack?

For instance, in a computer lab environment in schools this is a huge problem. It is trivial to get root privileges. Running as a non-admin account doesn't protect you in 10.9-10.10.2 but seems to do so in 10.7-10.8.5.
On a home computer this is of much less concern.

 

[simonsi]

Does anyone know what the real-world chances of being targeted by this vulnerability exploit for an average non-professional user? Is this really that likely?

I would like to know, in layman's terms, how you can be targeted. Would just logging out as admin and logging in as a standard user be enough to prevent an attack?

Firstly the attacker needs a login opportunity, either by an existing remote access facility or access to the machine. Prevent or control those aspects and there is no possibility of a rootpipe attack. Once in, rootpipe can be used to escalate admin priveledges to root but it cannot escalate standard to admin, or standard to root.

There are some other limitations on specific versions of OS X as stated.

Rootpipe can be viewed as a way to seriously compromise a target machine, but only it its security is compromised by access (remote or physical), in the first place.

 

[chrfr]

it cannot escalate standard to admin, or standard to root.

It absolutely is possible to get root privileges, even a root shell, from a standard user in 10.9-10.10.2.

 

[simonsi]

It absolutely is possible to get root privileges, even a root shell, from a standard user in 10.9-10.10.2.

Ok, that wasn't in the last info I had. Good catch and another reason to get to 10.10.3...

TBH though, once your machine is compromised by access the OS can be wiped so a moot point.

 

[chrfr]

Ok, that wasn't in the last info I had. Good catch and another reason to get to 10.10.3...

TBH though, once your machine is compromised by access the OS can be wiped so a moot point.

Your last point is true, but like I said, in an environment such as school labs, where you have lots of authorized non-admin users, and systems that should be rather locked down, this is an especially concerning problem.

 

[Zedcars]

Oh ok, thanks for the info. Steve Gibson covered this very briefly in Security Now but he didn't mention that a standard user in 10.9.0 - 10.10.2 would be vulnerable. In fact that was where I'd got the suggestion that being logged in as standard user would make you safe from this problem.

I know a few educational institutions that are slow when it comes to updating their Mac OS's and I'd be willing to bet this is common in most institutions the world over. I can think of one in particular who are still on Snow Leopard!

 

[sjinsjca]

https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

Only patched in 10.10, 10.9 is left in the cold, and it does not require your user to be in the admin group to run.

Combine this with any of the remote exploits patched in the latest SA and you can have a very big and real issue at hand. Did anyone say OSX botnet?

Very nasty indeed and there is already a metasploit module available for this...

It would be nice if Apple would patch things going back several generations. But they have pointed out (https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/), "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older."

10.10 Yosemite did introduce a slew of new features and frameworks, including some really low-level stuff (for example in the storage frameworks, in which physical I/O is entirely abstracted now, and in the communications frameworks, which are hugely different and, for example, bring Handoff, AirDrop and SMS capability to the Mac), and the Swift programming environment, and application management (such as automatic, background app updates and 2-factor per-app authentication).

Apple has another point: Any computer that runs 10.9 or 10.8 or even older can run 10.10, and the upgrade is free (unlike most Windows OS updates) and pretty painless. No app reinstallations or data recovery are needed after the update (though most applications have had their own updates to take advantage of the new ways of doing things and to fix incompatibilities), though the built-in Time Machine backup functionality makes it easy to do so when necessary. There are broad performance improvements as well as security improvements. And by now the various bugs introduced in such a massive update have been addressed. It's a fantastic and thoughtfully-designed OS; something new about it delights me every day.

The simplest and best path to ensuring a Mac is running the safest code is to upgrade, which IIRC any Mac manufactured in the past five or so years can do for free. But like many here, I'd encourage Apple to back-port security fixes, and I'd personally like to see them go very far back when feasible... though for technical reasons it sometimes won't be. My sleek, 12-year-old PowerMac tower machine still runs like a hose but hasn't seen an update in quite a while. And being based on the old PowerPC chips, it won't. But it sure is a magnificent specimen!

 

[Rigby]

Does anyone know what the real-world chances of being targeted by this vulnerability exploit for an average non-professional user? Is this really that likely?

I would like to know, in layman's terms, how you can be targeted.

The vulnerability can be exploited in combination with other attack methods. For example, Adobe just patched a critical vulnerability (CVE-2015-3043) in the Flash plugin for Windows and Mac that was actively being used by black hats to remotely execute code on the victims' machines if they went to a specially prepared web page (this kind of vulnerability is discovered quite frequently in browsers and plugins). That code could use vulnerabilities like Rootpipe to gain elevated access rights and make modifications to your system, e.g. to install a rootkit.

Would just logging out as admin and logging in as a standard user be enough to prevent an attack?

Using a standard user account for day-to-day activities is always a good idea to make it more difficult for malware to modify critical parts of the system.