DYLD_PRINT_TO_FILE exploit found in the wild for OS X

BurnIconXA vulnerability exists in OS X where an attacker can take advantage of a routine that is generally intended for logging, and overwrite system files. In doing so, the attacker can modify the system to allow bypassing of OS X’s security measures and give full “root” access to malware installers. The result of this is further modification to an affected Mac can be performed without any indication or authentication requirement.

The exploit uses an environmental variable in OS X called “DYLD_PRINT_TO_FILE” which allows a program to redirect error messages to a specific file, instead of to the systems standard error stream. By default, the standard error stream (stderr) allows error messages to be logged and otherwise handled by official system services, but if a developer wishes, this variable allows for alternative handling and logging. Unfortunately, a bug exists in this routine, such that if an existing file is specified, then the system will overwrite its contents.

This type of modification will generally corrupt a system, leading to instability such as crashes and hangs, but attackers are using this vulnerability to target the system’s “sudoers” file. This file contains rules governing which user accounts can run programs with “root” privileges, and what authentication steps are needed to do this. In general, this file is set so that only administrative accounts have this access, but are still required to supply a password. However, the attack overwrites this file in a way such that no authentication is needed.

When the attack is done, the malware can then modify any file and install any additional program it chooses. Currently, malware exploiting this vulnerability have been found by MalwareBytes, which use it for installing MacKeeper, VSearch, and Genieo, which are commonly unwanted third-party software programs that are often referred to as adware and junkware.

sudoers file in OS X

The sudoers file here contains one modified line (underlined) that gives full root access to the account called “zephyr”, only when run on the local machine, and only for running the “softwareupdate” process. In most sudoers files, all lines except this one will be present as-is. The comments (hash marks) prevent the other lines from being active.

To check a system’s “sudoers” file, open the OS X Terminal and run the following command:

sudo cat /etc/sudoers

By running this command you have two modes for identifying this exploit. By default, this command will require you supply your password from an administrative account, so if it runs without you supplying this password, then something is wrong. Next, in the output of this command, check all of the lines that do not begin with a hash mark (#). This mark means these lines are not used, so the mark being absent means the line is active. For active (un-hashed) lines, if any contain the word NOPASSWD, then the file has been modified to allow root access without a password.

Unfortunately all current versions of OS X are vulnerable to this exploit, so it will take an update from Apple to supply a fix. However, while this may be concerning, do keep in mind that this exploit does require you download and run a nefarious malware installer. Currently no programs can automatically download and run on your Mac without you purposefully launching them, so your best bet at being safe is to simply monitor what programs you run. If you do not know where a program came from, then delete it and re-download it, or at least investigate it and confirm you know what it is before you run it. Some examples of suspicious downloads include:

  • E-mail attachments recommending you open a program or link, especially from strange sources
  • Any automatic download in your Web browser that you did not specifically click to perform
  • Any program from Web sites that offer free software and services
  • Any sites that issue persistent warnings about the security of your computer
  • Any sites that appear to “lock” your computer and then require you call a support number to unlock the system.

Via: MalwareBytes (Thomas Reed)

7 thoughts on “DYLD_PRINT_TO_FILE exploit found in the wild for OS X

    1. B. Jefferson Le Blanc

      If you read the article you’ll find a detailed explanation of how this exploit works. Try it, you’ll like it. 😉

  1. lkrupp215

    Thanks for the article Mr. Kessler. This thing is spread the old fashion way by tricking the user into installing it. The big difference is that it doesn’t need an admin password to do its thing. Good advice at the end too about watching what you click on.

  2. John Craig

    ArsTechnica’s coverage says this only affects 10.10 (Yosemite) and that there’s a non-Apple patch to prevent the attack. FWIW.

  3. B. Jefferson Le Blanc

    @ lkrupp215: Right. And who does that, or can do that, all the time? If everybody did, or everybody could, there would be no such thing as malware. That’s why they call this stuff human engineering now. It depends on human fallibility for its success, a universal condition from which there is no escape – for anyone – this side of the grave.

  4. Mike Smith

    Does this mean that MacKeeper is indeed malware? I’ve always heard that is just relatively useless software with an overly aggressive marketing campaign.

Comments are closed.