This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Rootpipe exploit

"And now we also know that the bug has been discovered by what seems to be a Chinese APT actor and was already exploited in the wild (although only affecting < 10.8)."

The link I want to post for this doesn't work because the Sophos nanny insists on bleeping out "bs." So find it from this--"How to fix rootpipe...." It appears in comments in that article.

https://reverse.put.as/?s=rootpipe

Question: Any kind of protection from this from Sophos? Will Sophos be able to identify any files that contain such a payload?

:1020662


This thread was automatically locked due to age.
Parents

  • sandy wrote:

    I asked SophosLabs about this, and this is the answer I received:

    Rootpipe (CVE-2015-1130) is a local elevation of privilege vulnerability. If malware wants to exploit it, it must first get into the computer and then it must be executed. We don't know of any malware that uses this technique, therefore we don't have detections.

    If you believe otherwise I would urge you to submit a sample to us: https://www.sophos.com/en-us/support/knowledgebase/11490.aspx


    Hi Sandy,

    It's not just a local privilege escalation vulnerability.

    “An attacker could combine it with a remote code execution exploit. Remote code execution exploits are discovered and fixed in almost every version of OS X,” Kvarnhammar said. “An attacker would only need to know a way to exploit one of them and write code that exploits the combination in order to gain full root access on another’’’’s machine.”
    https://threatpost.com/older-versions-of-os-x-remain-vulnerable-to-rootpipe-hidden-backdoor-api/112105

    And, from what I already wrote above, there may be an actual malware sample for Labs to look at:

    "There is malware from 2014 that was already exploiting this vulnerability. Found by noar, the following sample contains the exploit code for both Mavericks and older versions. It uses the exploit to activate the Accessibility API. See, we don’’’’t even need to wait for new malware, it was already being exploited in the wild. The malware sample is described by FireEye here, but they totally miss the zero day there. They just lightly describe the result but not the technique."

    In addition, there is a rootpipe tester. Although it may not completely or accurately simulate the form in which a real-world exploit might arrive, it might give Labs some idea of what a payload with rootpipe would look like.

    https://github.com/sideeffect42/RootPipeTester/releases

    And the outlines of the exploit are already well known and described by Kvarnhamma, who discovered it.

    https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

    Kvarnhamma has also pointed out that he was able to get this exploit going even from a standard account, so switching to a standard from an admin account offers no protection.

    The idea here is can you get back to Sophos Labs and ask them if it would be possible for them to get out ahead of this with a signature for the privilege escalation payload a malware author would need to use, before it starts being employed frequently in the wild, something which is all but inevitable and probably quite soon. There is currently zero protection against this, even from the fix Apple supplied for 10.10.3.

    http://9to5mac.com/2015/04/21/os-x-rootpipe-vulnerability-security/

    :1020682
Reply

  • sandy wrote:

    I asked SophosLabs about this, and this is the answer I received:

    Rootpipe (CVE-2015-1130) is a local elevation of privilege vulnerability. If malware wants to exploit it, it must first get into the computer and then it must be executed. We don't know of any malware that uses this technique, therefore we don't have detections.

    If you believe otherwise I would urge you to submit a sample to us: https://www.sophos.com/en-us/support/knowledgebase/11490.aspx


    Hi Sandy,

    It's not just a local privilege escalation vulnerability.

    “An attacker could combine it with a remote code execution exploit. Remote code execution exploits are discovered and fixed in almost every version of OS X,” Kvarnhammar said. “An attacker would only need to know a way to exploit one of them and write code that exploits the combination in order to gain full root access on another’’’’s machine.”
    https://threatpost.com/older-versions-of-os-x-remain-vulnerable-to-rootpipe-hidden-backdoor-api/112105

    And, from what I already wrote above, there may be an actual malware sample for Labs to look at:

    "There is malware from 2014 that was already exploiting this vulnerability. Found by noar, the following sample contains the exploit code for both Mavericks and older versions. It uses the exploit to activate the Accessibility API. See, we don’’’’t even need to wait for new malware, it was already being exploited in the wild. The malware sample is described by FireEye here, but they totally miss the zero day there. They just lightly describe the result but not the technique."

    In addition, there is a rootpipe tester. Although it may not completely or accurately simulate the form in which a real-world exploit might arrive, it might give Labs some idea of what a payload with rootpipe would look like.

    https://github.com/sideeffect42/RootPipeTester/releases

    And the outlines of the exploit are already well known and described by Kvarnhamma, who discovered it.

    https://truesecdev.wordpress.com/2015/04/09/hidden-backdoor-api-to-root-privileges-in-apple-os-x/

    Kvarnhamma has also pointed out that he was able to get this exploit going even from a standard account, so switching to a standard from an admin account offers no protection.

    The idea here is can you get back to Sophos Labs and ask them if it would be possible for them to get out ahead of this with a signature for the privilege escalation payload a malware author would need to use, before it starts being employed frequently in the wild, something which is all but inevitable and probably quite soon. There is currently zero protection against this, even from the fix Apple supplied for 10.10.3.

    http://9to5mac.com/2015/04/21/os-x-rootpipe-vulnerability-security/

    :1020682
Children
No Data