When TrueSec researcher Emil Kvarnhammar discovered a privilege escalation bug affecting OS X that could allow attackers to gain complete control of the target’s Mac machine, he disclosed details about it to Apple.
It took the company over half a year to issue a patch, due to the amount of changes required in OS X to plug the hole. For this reason, they only released a patch for OS X Yosemite (10.10.3).
Phoenix; RootPipe Reborn from patrick wardle on Vimeo.
But, it seems that even that long a period was not long enough to thoroughly address the issue, as Patrick Wardle, Director of Research at Synack, recently discovered “a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system.”
“I the spirit of responsible disclosure, (at this time), I won’t be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk,” he said in a blog post, and shared a demonstration of the exploit.