Full disclosure – rootpipe in OS X

Operating systems are built out of software, software is created by developers, developers make mistakes, and mistakes can introduce security vulnerabilities.
I wanted to highlight that all software (even from Apple) contains vulnerabilities, and many are still to be discovered. In October 2014 I was preparing a demo (for one of our conferences) on how vulnerabilities in OS X could be used by attackers to gain control over a developer machine. The first exploit I used was based on CVE-2013-1775, a bug that was patched in version 10.8.5 (Sept 2013). It felt boring that the vulnerability was more than a year old.
I searched through the binaries of OS X, and a couple of days (and nights) later I found rootpipe – a privilege escalation to root. I verified it on 10.8.5 with success. Verified it on 10.9.5 too, it worked after some modifications. OS X 10.10 Yosemite was released shortly after this, and was also vulnerable.
In this session I will disclose all details of the rootpipe vulnerability, and explain why it’s different from many other privilege escalation bugs. You’ll see how attackers find vulnerabilities in your code, even if they only have access to binaries. This is a security issue that took more than six months for Apple to patch!

Location: Stora Salongen Date: 28th May 2015 Time: 4:00 pm - 4:40 pm Emil-kvarnhammar-TrueSec-300x-229x236 Emil Kvarnhammar