Last month, Stefan Esser blogged about a zero-day vulnerability in OS X, without having informed Apple about the problem first. Unfortunately, today has brought the discovery of the first known exploit.
Adam Thomas, a researcher at Malwarebytes, discovered a new adware installer, and while testing it, he discovered something very strange: his sudoers file had been modified!
For those who don’t know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password.
As can be seen from the code snippet shown here, the script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it’s finished.
The real meat of the script, though, involves modifying the sudoers file. The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer’s disk image, giving it full root permissions, and thus the ability to install anything anywhere. (This app is responsible for installing the VSearch adware.)
In addition to installing VSearch, the installer will also install a variant of the Genieo adware and the MacKeeper junkware. As its final operation, it directs the user to the Download Shuttle app on the Mac App Store.
This is obviously very bad news. Apple has evidently known about this issue for a while now – not due to Esser, but thanks to a responsible researcher going by the Twitter handle @beist, who had alerted Apple some time before Esser discovered the bug.
Unfortunately, Apple has not yet fixed this problem, and now it is beginning to bear fruit.
Worse, there is no good way to protect yourself, short of installing Esser’s software to protect against the very flaw that he released into the hands of hackers worldwide, which introduces some serious questions about ethics and conflict of interest.
Hopefully, this discovery will spur Apple to fix the issue more quickly.
In the meantime, as always, be careful what you download! For some practical tips in how to avoid these kinds of nasty installers, see How can I protect myself?, which is part of The Safe Mac’s Mac Malware Guide.
Oh geez, if a person that isn’t worth several billion can do it with less warning (well, several hundred billion, not that I’m expecting either to throw all their money at it), then why can’t Apple? Yes, I hope very much that Apple fixes this soon.
Users who aren’t logged in as administrators, are they vulnerable to this exploit?
Good write-up, but one minor point: the /etc/sudoers file is not really a “hidden file”. You can see it in the Finder if you use the “Go->Go to Folder…” command and enter “/etc”.
The author of this post is an idiot for attacking Esser. He was very clear that Apple already knew about the bug for several months before he dropped the exploit – it’s already fixed in El Capitan. He only released it in an effort to motivate Apple to bother fixing a bug that they apparently weren’t going to bother with (latest Yosemite beta did not include the fix), leaving millions of users vulnerable to what is quite a trivial exploit.
He also provided free mitigation with the release, which Apple has so far failed to do even after knowing about the bug for several months. Perhaps Mr Thomas Reed should have read Esser’s release article in full before writing this, and direct his misinformed vitriol towards the billion-dollar company that is failing to make reasonable efforts to keep its users secure rather than the lone security researcher providing security fixes for a commercial operating system to the general public for free.