A German security researcher from SektionEins has discovered a security vulnerability that affects OS X Yosemite and exploits it to gain root access to the Mac computer. This researcher is a well-known hacker in the iOS jailbreaker community since he is Stefan Esser alias i0n1c.
Stefan Esser did not take care to warn the firm of the apple upstream, and therefore before moving on to the public disclosure of the vulnerability. It is linked to the addition in OS X Yosemite of an environment variable DYLD_PRINT_TO_FILE in connection with the dynamic linker dyld. Its setting defines where dyld can write error messages to the file system.
i0n1c explains that through an abuse of this environment variable, an attacker can open or create arbitrary files held by the root user anywhere in the file system. It evokes an elevation of privileges easy to implement in OS X 10.10.x but requiring local access to the Mac computer, however.
By its nature, this flaw is therefore less critical than a vulnerability exploitable from a distance. However, it remains dangerous. A proof of concept allows you to install a root shell on Mac computers, which is a bit of the ultimate for an attack.
Stefan Esser, who is not going to make friends at Apple, says he does not know if the apple company was really aware of this problem or not. The fact is that the vulnerability is fixed in the beta of OS X El Capitan but not in that of OS X 10.10.5 and therefore not in the current stable version of OS X Yosemite (10.10.4).
The hacker criticizes Apple for not having implemented a Bug Bounty program to reward the findings of third-party security researchers. No question of working for free. And don't tell him about a responsible disclosure of security vulnerabilities (by notifying the publisher first). For him, it is Apple who is irresponsible in this case: a correction in the beta of El Capitan in June but not in the latest stable version of OS X.
So Apple has working fix + released it in June with El Capitan beta, but did not backport. Has intention to fix in September.
– Stefan Esser (@ i0n1c) July 22, 2015
As he is still nice, Stefen Esser published on GitHub a driver for the kernel which implements protective measures (SUIDGuard).
