October 2, 2006 6:25 PM PDT
Exploit released for Mac OS X flaw
- Related Stories
Apple releases Mac OS X security updateSeptember 29, 2006
New Apple patch plugs Wi-Fi hijack flawsSeptember 21, 2006
Attack code out for Apple flawJune 29, 2006
Tribble on Apple's security troublesMarch 15, 2006
Mac OS X patch faces scrutinyMarch 7, 2006
Is Mac OS as safe as ever?February 27, 2006
The code takes advantage of a weakness in core parts of Mac OS X and could let a person with limited privileges gain full access to a system. Apple provided a fix for the error-handling mechanism of the kernel last week, but the exploit appears to have been authored before then.
"It appears to have been written well before the vulnerability was fixed," said Dino Dai Zovi, a researcher at Matasano Security, who was credited by Apple with discovering the flaw. "It appears to be a zero-day exploit." He added that it may even "have been distributed before the patch was released."
Indeed, a Dutch student named Matthijs van Duin claims he found the bug and crafted the exploit in November last year. He did not call attention to the exploit, but did store it in a public directory online to share it with a few people, Van Duin told CNET News.com. Symantec and the French Security Incident Response Team, or FrSIRT, issued alerts about the attack code over the weekend, but the exploit appears to have gone unnoticed by security monitoring companies before that.
"I didn't release it at such," Van Duin said in an interview via e-mail. "I just put it in a directory to show it to a few people...I was trying to figure out why the kernel code that was obviously meant to plug this vulnerability was present, but disabled. Then I had more urgent stuff to do, the vulnerability ended up on the bottom of my 'to do' list."
Apple representatives did not immediately return calls for comment.
The vulnerability could be exploited by a local attacker or someone with privileges to remotely log on to a machine. Macs that are used by multiple people, as well as servers with remote access capabilities, are most at risk, experts said. A person with limited privileges could exploit the flaw to possibly gain full system access.
"The risk presented by this exploit is limited by the fact that it can only be exploited by a logged-in user, although the user may also be logged in remotely," Dai Zovi said. "The issue is also mitigated by the fact that a patch has already been released."
The patch is available on Apple's Web site.
Mac OS X, by default, checks for updates weekly, which means most Mac OS X systems will not be vulnerable much longer.
The exploit as it was publicly released does not do anything destructive; instead it runs the "/usr/bin/id" utility to show that a person enjoys full administrator privileges.
"I can then make it do anything I want," Van Duin said. "An ill-intended person with at least some skill could modify it to spawn a root shell."
Dai Zovi agreed with van Duin, saying that a knowledgeable user can easily replace or modify the exploit payload to run a full-access root shell.
108 commentsJoin the conversation! Add your comment