Mac OS X Bug Opens A Pathway For Adware

An exploit of privilege settings in Apple's Mac OS 10.10 can leave users vulnerable to adware for some users.

Larry Loeb, Blogger, Informationweek

August 7, 2015

4 Min Read
<p align="left">Halishadow/iStockphoto</p>

10 Must-Have Mac OS X Apps

10 Must-Have Mac OS X Apps

10 Must-Have Mac OS X Apps (Click image for larger view and slideshow.)

While the details of the latest vulnerability to the Mac OS 10.10 are esoteric, Malwarebytes has found an adware installer already using this exploit in the wild.

The latest security problem for Mac OS originates in the code that Apple wrote in the 10.10 system software that bypasses the kinds of privilege checking done in other parts of the OS. With this code, Apple provided a way for exploiters to gain root access to OS X. Root access allows them to execute whatever code they want without hindrance.

Security researcher Stefan Esser wrote in his July 7 blog about a privilege escalation exploit associated with the DLYD_PRINT_TO_FILE environment variable. This variable allows the system to push output to a file other than the usual standard error (stderr) one. This is the part of Apple's system code where the lack of file checking occurred.

[ It's never as good as it seems. Read Shadow IT: It's Much Worse Than You Think. ]

What happened to allow this? Basically, the revisions that Apple made in OS X 10.10 to the dynamic linker (dyld) process were faulty. In that version of the OS, any changes that happened to the dynamic linker (such as changing where the output goes) did not invoke the usual safeguards built into the OS for checking file privileges.

The usual file checking occurs when any environment variables associated with the dynamic linker are passed to the processDyldEnvironmentVariable() function. This function checks what kinds of files are present before they are added to the linked list that dyld uses to set up what actually gets run. But, in OS X 10.10 the variable was added in the _main part of the dyld program. Putting it there bypassed the processDyldEnvironmentVariable() function.

And therein lies the problem. Without a check of what kind of file was being created, any kind of files (even ones that should be restricted) would be linked together and executed. A restricted file includes those that have root access to the system. As noted before, root access allows a file to execute any code that it specifies. If that file is an attack, the file then has an easy time doing the attack and erasing the trail produced by the attack.

Esser does provide a patch, however. It is not for the fainthearted, since it requires compilation. Its source can be found in the Github repository..

The exploit found by Malwarebytes is hidden in an adware installer the firm was researching. The adware installer script modified the sudoers file, which determines which users and commands have root access to the system. The exploit turns off the usual password required for changes to this file.

Malwarebytes' Thomas Reed wrote in a wrote in a blog post that the adware’s script then uses sudoer's new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer's disk image. Reed wrote: "For those who don't know, the sudoers file is a hidden Unix file that determines, among other things, who is allowed to get root permissions in a Unix shell, and how. The modification made to the sudoers file, in this case, allowed the app to gain root permissions via a Unix shell without needing a password. This basically gives adware full root permissions, and thus the ability to install anything, anywhere."

The VSInstaller app is responsible for installing the VSearch adware program that delivers pop-up ads, and also installs a toolbar. It has been identified as malicious by Apple. In addition to installing VSearch, the installer also creates a variant of the Genieo adware and the MacKeeper junkware.

As its final operation, it directs the user to the Download Shuttle app on the Mac App Store. The affected system then has two programs cramming it full of unwanted ads, and an unwanted referral to a product. The adware can be removed using instructions on Malwarebytes site.

Apple knows about this exploit. Esser reported it before he went public, and Tweeted that the July 30 build of OSX 10.10.5 is fixed. This means it should hit the general public soon.

The upcoming version of OS X (10.11) handles root access in a very different manner and this kind of exploit will not work. What Apple causes, it eventually fixes.

About the Author(s)

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights