Rootpipe is back.....

GaToRAiD
Contributor II

While looking for information on rootpipe, I came across this.....

Rootpipe updated

18 REPLIES 18

dderusha
Contributor

Has anyone tried the script from Richard Glasser?

He developed SUID Scan as a frontline, lightweight defense mechanism against the rootpipe security vulnerability published in April, 2015.

https://github.com/univ-of-utah-marriott-library-apple/suid_scan

were going to take a look at it shortly....

analog_kid
Contributor

Disappointing. And inexcusable they refuse to backport the fix to 10.9 at least!

bpavlov
Honored Contributor

I agree that this is inexcusable considering how OS X 10.10 only released 6-7 months ago. However, for what it's worth, their 'fix' didn't really fix the issue so it wouldn't have mattered. If anything it probably would have broken things that actually still work in 10.9.5. So at least you have that to look forward to....

nessts
Valued Contributor II

@bpavlov I find it humorous that you say only released 6-7 months ago, that is more than 50% of this version of OS life cycle. ok it will get another up to 12 months of security only updates and then again maybe it won't as you can see with this security threat.

jesseshipley
Contributor

First rootpipe malware has been discovered too.

https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html

I wrote a quick extension attribute to track for it if anyone wants it. https://github.com/tulgeywood/JAMF/blob/master/Extension%20Attributes/XSLCmd/XSLCmd.py

sean
Valued Contributor

Do you think that

$HOME/Library/Logs/BackupData/<year><month><day>_<hr>_<min>_<sec>_keys.log

is a literal string?

jesseshipley
Contributor

@sean I don't. I just made a stupid paste error. I removed it from my check as I'm not sure what format any of those time references will be in and I highly doubt that one file would ever be the only indicator on a machine. Thanks for catching my mistake.

sean
Valued Contributor

They appear to have been explicit with the format. Perhaps you could check for:

$HOME/Library/Logs/BackupData/*_*_*_*_keys.log

tep
Contributor II

Has anyone tried:
https://reverse.put.as/2015/04/13/how-to-fix-rootpipe-in-mavericks-and-call-apples-bullshit-bluff-ab...
And, if so, would you share your compiled version?

yellow
Contributor

@nessts

I find it humorous that you say only released 6-7 months ago, that is more than 50% of this version of OS life cycle. ok it will get another up to 12 months of security only updates and then again maybe it won't as you can see with this security threat.

Nah... they'll announce OS X 10.11 "Muscle Beach" at the WWDC in June and it'll be h@x0r-fr33!

uurazzle
Contributor II

Actually, I didn't write the script, but helped with the concept. It was written my a member of our group.

So, SUID Scan script working for you?

dderusha
Contributor

@uurazzle I'm getting this error on 10.9.5

com.apple.launchd.peruser.502[239] (edu.utah.scl.suid_scan.login[9028]): Job failed to exec(3) for weird reason: 13

most of the files seem to be there but the installer reported failed.

uurazzle
Contributor II

Can you post the installer error log?

uurazzle
Contributor II

We might want to move this to the github too vs debugging it here.

https://github.com/univ-of-utah-marriott-library-apple/suid_scan/issues

Can you post there or if not we can debug it here.

dderusha
Contributor

went to github - done! Thank you.

Dan

uurazzle
Contributor II

FYI:

In reference to the ’rootpipe’ issue. OS X 10.10.3 and 10.10.4 contain fixes for Yosemite. The Security Update 2015-005 contains back ports of these fixes to OS X 10.9.5 only.

https://support.apple.com/en-us/HT204942

Currently, the solution for earlier OS’s is to upgrade to Mavericks or Yosemite and apply the latest updates.

uurazzle
Contributor II

Note, we tested the Security Update 2015-005 on OS X 10.9.5, binaries created before the patch still retain the ability to gain root. So, keep this in mind if you are concerned your clients might have additional/modified binaries. Post patch, the exploit will not create new binaries.

So, you if you have clients file system to a known state or you can use suid_scan on a box that is in a known state and then use it to compare other boxes for additional suid binaries.

https://github.com/univ-of-utah-marriott-library-apple/suid_scan

bradtchapman
Valued Contributor II

Ugh - I saw the timestamp of 15 minutes ago and thought it was a new discussion. Glad to know I was just looking at an old topic :)