OS X 10.10.5 kernel local privilege escalation

$ git clone <a href="https:&#x2F;&#x2F;github.com&#x2F;kpwn&#x2F;tpwn.git" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;kpwn&#x2F;tpwn.git</a><p>Cloning into &#x27;tpwn&#x27;...<p>remote: Counting objects: 16, done.<p>remote: Compressing objects: 100% (11&#x2F;11), done.<p>remote: Total 16 (delta 3), reused 16 (delta 3), pack-reused 0<p>Unpacking objects: 100% (16&#x2F;16), done.<p>Checking connectivity... done.<p>$ cd tpwn<p>$ make<p>gcc *.m -o tpwn -framework IOKit -framework Foundation -m32 -Wl,-pagezero_size,0 -O3<p>strip tpwn<p>$ .&#x2F;tpwn<p>leaked kaslr slide, @ 0x0000000008e00000<p>sh-3.2# whoami<p>root<p>sh-3.2#<p>Shit&#x27;s real.<p>Edit: for those of you wondering, no, I didn&#x27;t just run this willy-nilly. I read the code thoroughly and determined there were no side-effects aside from just the PoC dropping to a root shell.

Anyone who is worried about privilege escalation on OSX should be aware that Apple ships sudo with requiretty disabled. This means that sudo authentication is not bound to the TTY in which the authentication occurred, and so using sudo for anything is tantamount to giving root to <i>all</i> of your processes.<p>UPDATE: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10069706" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=10069706</a>

So we currently have 2 local privilege escalation exploits [1] available for Mac OSX. Apple appears to be in no rush to fix the first one, I wouldn&#x27;t bet my money on this vulnerability getting a fix any time soon, either ...<p>[1] <a href="http:&#x2F;&#x2F;bit.ly&#x2F;1MrsdID" rel="nofollow">http:&#x2F;&#x2F;bit.ly&#x2F;1MrsdID</a>

Just curious when you disclosed this to apple? I&#x27;m impressed by your skill in finding this, but not sure it is a good idea to make it so easy for people to weaponize like this.

Any way to protect a machine until apple publishes an update?

(1) Can I also ask how you found this? Were you fuzzing Iokit?<p>(2) I&#x27;m trying to work through your ROP. Can you explain a bit more? Thanks.

Interesting. This prompted me to look at my Mac and it&#x27;s running 10.10.3, I never got a prompt to update to 10.10.4 or 10.10.5, but when I open App Store it tells me there&#x27;s an upgrade to 10.10.5. I guess Apple managed to break the automatic update mechanism in 10.10.3.<p>I wonder if this is related to the behavior where my iMac wakes up every minute starting every morning at 2AM. This is so obnoxious that I now turn my iMac off at night instead of putting it to sleep.

I&#x27;m running 10.10.4, and it just crashed my Mac -- the &quot;A problem has occurred&quot; screen -- followed by a forced restart.

Does anyone know if 10.9.5 is vulnerable?

Okay, this is really weird... after rooting, and pressing ^D or typing exit, I stay root<p><pre><code> ~&#x2F;code&#x2F;tpwn % id -u 503 ~&#x2F;code&#x2F;tpwn % .&#x2F;tpwn leaked kaslr slide, @ 0x0000000005600000 sh-3.2# exit exit ~&#x2F;code&#x2F;tpwn # id -u 0 </code></pre> Edit: and it crashes iTerm2 after the last `id -u`. Managed to get a screenshot of what I&#x27;m talking about: <a href="http:&#x2F;&#x2F;i.imgur.com&#x2F;foWgTBN.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;foWgTBN.png</a>

And here I was pressing &quot;update later tonight.&quot; Thanks for the heads up!

Does it work on 10.11 with &quot;rootless&quot; mode disabled?

At least 10.11 isn&#x27;t vulnerable

So for anyone who hasn&#x27;t tried it but is wondering about it - it works on 10.10.4 and 10.10.5, running the tpwn binary does drop you to a root shell. Looks like a weakness in the address randomization in OS X