For at least four years, a bug in Apple’s OS X gave untrusted users—and possibly remote hackers with only limited control of their target—unfettered “root” privileges over Macs.
The vulnerability is being called a “hidden backdoor” by Emil Kvarnhammar, the security researcher who discovered the bug and privately reported it to Apple. It’s probably more accurate to describe it the equivalent of an unpublished programming interface that allowed users with admin or even lower-level standard privileges to gain root. The privilege escalation flaw was fixed in a massive security update Apple released Wednesday for the 10.10, aka Yosemite, version of OS X. Macs running versions 10.9 or earlier remain vulnerable.
“The Admin framework in Apple OS X contained a hidden backdoor API to root access for several years (at least since 2011, when 10.7 was released),” Kvarnhammar wrote in a blog post published Thursday. “The intention was probably to serve the ‘System Preferences’ app and systemsetup (command-line tool), but there is no access restriction. This means the API is accessible (through XPC) from any user process in the system.”
To fully exploit the bug, attackers would need physical access to the targeted Mac. But the escalation vulnerability could potentially be exploited remotely in combination with other attacks, for instance, one that’s able to compromise a browser and break out of its security sandbox but doesn’t have privileged access to operating system resources. Exploits might also be useful against machines running server versions of OS X.
When Kvarnhammar first discovered the bug last October, he found he could exploit it to gain root privileges from the rights normally granted only to admin accounts. The researcher continued to experiment with the flaw until he found a way to elevate privileges even from standard OS X accounts, which give users considerably less control. To Kvarnhammar’s amazement, he was able to expand the attack by sending a what’s known as a “nil” to the OS X mechanism that performs the elevation authorization. A nil is a zero-like value in the Objective C programming language that represents a non-existent object.
“It seems like the authorization checks are made by triggering callback functions on the auth-object supplied,” Kvarnhammar wrote. “For those of you who are not Objective-C programmers: Guess what happens if you call methods on a null reference–or to use Objective-C language, send a message to nil? Nothing! :)”