Rootpipe is back.....

Has anyone tried the script from Richard Glasser?

He developed SUID Scan as a frontline, lightweight defense mechanism against the rootpipe security vulnerability published in April, 2015.

https://github.com/univ-of-utah-marriott-library-apple/suid_scan

were going to take a look at it shortly....

Disappointing. And inexcusable they refuse to backport the fix to 10.9 at least!

I agree that this is inexcusable considering how OS X 10.10 only released 6-7 months ago. However, for what it's worth, their 'fix' didn't really fix the issue so it wouldn't have mattered. If anything it probably would have broken things that actually still work in 10.9.5. So at least you have that to look forward to....

@bpavlov I find it humorous that you say only released 6-7 months ago, that is more than 50% of this version of OS life cycle. ok it will get another up to 12 months of security only updates and then again maybe it won't as you can see with this security threat.

First rootpipe malware has been discovered too.

https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html

I wrote a quick extension attribute to track for it if anyone wants it. https://github.com/tulgeywood/JAMF/blob/master/Extension%20Attributes/XSLCmd/XSLCmd.py

Do you think that

$HOME/Library/Logs/BackupData/<year><month><day>_<hr>_<min>_<sec>_keys.log

is a literal string?

@sean I don't. I just made a stupid paste error. I removed it from my check as I'm not sure what format any of those time references will be in and I highly doubt that one file would ever be the only indicator on a machine. Thanks for catching my mistake.

They appear to have been explicit with the format. Perhaps you could check for:

$HOME/Library/Logs/BackupData/*_*_*_*_keys.log

Has anyone tried:
https://reverse.put.as/2015/04/13/how-to-fix-rootpipe-in-mavericks-and-call-apples-bullshit-bluff-about-rootpipe-fixes/t
And, if so, would you share your compiled version?

@nessts

I find it humorous that you say only released 6-7 months ago, that is more than 50% of this version of OS life cycle. ok it will get another up to 12 months of security only updates and then again maybe it won't as you can see with this security threat.

Nah... they'll announce OS X 10.11 "Muscle Beach" at the WWDC in June and it'll be h@x0r-fr33!

Actually, I didn't write the script, but helped with the concept. It was written my a member of our group.

So, SUID Scan script working for you?

@uurazzle I'm getting this error on 10.9.5

com.apple.launchd.peruser.502[239] (edu.utah.scl.suid_scan.login[9028]): Job failed to exec(3) for weird reason: 13

most of the files seem to be there but the installer reported failed.

Can you post the installer error log?

We might want to move this to the github too vs debugging it here.

https://github.com/univ-of-utah-marriott-library-apple/suid_scan/issues

Can you post there or if not we can debug it here.

went to github - done! Thank you.

Dan

FYI:

In reference to the ’rootpipe’ issue. OS X 10.10.3 and 10.10.4 contain fixes for Yosemite. The Security Update 2015-005 contains back ports of these fixes to OS X 10.9.5 only.

https://support.apple.com/en-us/HT204942

Currently, the solution for earlier OS’s is to upgrade to Mavericks or Yosemite and apply the latest updates.

Note, we tested the Security Update 2015-005 on OS X 10.9.5, binaries created before the patch still retain the ability to gain root. So, keep this in mind if you are concerned your clients might have additional/modified binaries. Post patch, the exploit will not create new binaries.

So, you if you have clients file system to a known state or you can use suid_scan on a box that is in a known state and then use it to compare other boxes for additional suid binaries.

https://github.com/univ-of-utah-marriott-library-apple/suid_scan

Ugh - I saw the timestamp of 15 minutes ago and thought it was a new discussion. Glad to know I was just looking at an old topic :)