DYLD_PRINT_TO_FILE exploit found in the wild

05/08/2015 - 14:51 von Fritz | Report spam
<https://blog.malwarebytes.org/mac/2...-wild/>
Zitat:
»As can be seen from the code snippet shown here, the script that
exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and
then executed. Part of the script involves deleting itself when it’s
finished.
The real meat of the script, though, involves modifying the sudoers
file. The change made by the script allows shell commands to be executed
as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behavior to launch the
VSInstaller app, which is found in a hidden directory on the installer’s
disk image, giving it full root permissions, and thus the ability to
install anything anywhere. (This app is responsible for installing the
VSearch adware.)
In addition to installing VSearch, the installer will also install a
variant of the Genieo adware and the MacKeeper junkware. As its final
operation, it directs the user to the Download Shuttle app on the Mac
App Store.«

Gefunden über
<http://www.heise.de/newsticker/meld...7.html>
Zitat:
»Eine auf dem Disk-Image des Installers versteckte VSInstaller-App
spiele daraufhin mit Adminrechten verschiedene Ad- sowie Junkware wie
VSearch, Genieo und MacKeeper ein.«

Hoffentlich veröffentlicht Apple bald einen Patch für alle betroffenen
OS X Versionen, da dieser Fehler angeblich in 10.11 bereits beseitigt wurde.

fup de.comp.sys.mac.misc
Fritz
Ironie, Sarkasmus, Satire, Farce, Persiflage, Metapher sind keinesfalls
ausgeschlossen!
 

Lesen sie die antworten

#1 Fritz
05/08/2015 - 15:04 | Warnen spam
Am 05.08.15 um 14:51 schrieb Fritz:
<https://blog.malwarebytes.org/mac/2...-wild/>
Zitat:
»As can be seen from the code snippet shown here, the script that
exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and
then executed. Part of the script involves deleting itself when it’s
finished.
The real meat of the script, though, involves modifying the sudoers
file. The change made by the script allows shell commands to be executed
as root using sudo, without the usual requirement for entering a password.
Then the script uses sudo’s new password-free behavior to launch the
VSInstaller app, which is found in a hidden directory on the installer’s
disk image, giving it full root permissions, and thus the ability to
install anything anywhere. (This app is responsible for installing the
VSearch adware.)
In addition to installing VSearch, the installer will also install a
variant of the Genieo adware and the MacKeeper junkware. As its final
operation, it directs the user to the Download Shuttle app on the Mac
App Store.«



Nachtrag:
Hier gibt es ein Tool, dass dies fixt, bis Apple einen Patch herausbringt.

SUIDGuard - a TrustedBSD Kernel Extension that adds mitigations to
protect SUID/SGID processes a bit more
<https://github.com/sektioneins/SUIDGuard>

AFAIK hat der Autor Stefan Esser diesen Bug entdeckt:

<https://www.sektioneins.de>
<https://www.sektioneins.de/blog/15-...e.html>

Fritz
Ironie, Sarkasmus, Satire, Farce, Persiflage, Metapher sind keinesfalls
ausgeschlossen!

Ähnliche fragen