[MacTUG] 10.10 vulnerability on shared machines

[Mike Patterson]

FYI:
https://www.sektioneins.de/en/blog/15-07-07-dyld_print_to_file_lpe.html


> With the release of OS X 10.10 Apple added some new features to the dynamic linker dyld. One of these features is the new environment variable DYLD_PRINT_TO_FILE that enables error logging to an arbitrary file.
> 
> DYLD_PRINT_TO_FILE
> This is a path to a (writable) file. Normally, the dynamic linker writes all logging output (triggered by DYLD_PRINT_* settings) to file descriptor 2 (which is usually stderr). But this setting causes the dynamic linker to write logging output to the specified file.
> When this variable was added the usual safeguards that are required when adding support for new environment variables to the dynamic linker have not been used. Therefore it is possible to use this new feature even with SUID root binaries. This is dangerous, because it allows to open or create arbitrary files owned by the root user anywhere in the file system. Furthermore the opened log file is never closed and therefore its file descriptor is leaked into processes spawned by SUID binaries. This means child processes of SUID root processes can write to arbitrary files owned by the root user anywhere in the filesystem. This allows for easy privilege escalation in OS X 10.10.x.
> 
> At the moment it is unclear if Apple knows about this security problem or not, because while it is already fixed in the first betas of OS X 10.11, it is left unpatched in the current release of OS X 10.10.4 or in the current beta of OS X 10.10.5.

In other words: untrusted users can relatively easily escalate privileges. This only affects 10.10, I don't know how many, if any, labs are running that version, but it's worth keeping in mind.

Mike


-- 
The secret of getting things done is to act!  - Dante Alighieri