Apple’s fix didn’t close Rootpipe backdoor

Posted on Updated on

When TrueSec researcher Emil Kvarnhammar discovered a privilege escalation bug affecting OS X that could allow attackers to gain complete control of the target’s Mac machine, he disclosed details about it to Apple.

It took the company over half a year to issue a patch, due to the amount of changes required in OS X to plug the hole. For this reason, they only released a patch for OS X Yosemite (10.10.3).

Phoenix; RootPipe Reborn from patrick wardle on Vimeo.

But, it seems that even that long a period was not long enough to thoroughly address the issue, as Patrick Wardle, Director of Research at Synack, recently discovered “a novel, yet trivial way for any local user to re-abuse rootpipe – even on a fully patched OS X 10.10.3 system.”

“I the spirit of responsible disclosure, (at this time), I won’t be providing the technical details of the attack (besides of course to Apple). However, I felt that in the meantime, OS X users should be aware of the risk,” he said in a blog post, and shared a demonstration of the exploit.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s