Posted on 04-21-2015 09:18 AM
Posted on 04-21-2015 09:59 AM
Has anyone tried the script from Richard Glasser?
He developed SUID Scan as a frontline, lightweight defense mechanism against the rootpipe security vulnerability published in April, 2015.
were going to take a look at it shortly....
Posted on 04-22-2015 10:39 AM
Disappointing. And inexcusable they refuse to backport the fix to 10.9 at least!
Posted on 04-22-2015 12:59 PM
I agree that this is inexcusable considering how OS X 10.10 only released 6-7 months ago. However, for what it's worth, their 'fix' didn't really fix the issue so it wouldn't have mattered. If anything it probably would have broken things that actually still work in 10.9.5. So at least you have that to look forward to....
Posted on 04-22-2015 01:51 PM
@bpavlov I find it humorous that you say only released 6-7 months ago, that is more than 50% of this version of OS life cycle. ok it will get another up to 12 months of security only updates and then again maybe it won't as you can see with this security threat.
Posted on 04-23-2015 07:50 AM
First rootpipe malware has been discovered too.
I wrote a quick extension attribute to track for it if anyone wants it. https://github.com/tulgeywood/JAMF/blob/master/Extension%20Attributes/XSLCmd/XSLCmd.py
Posted on 04-30-2015 03:16 AM
Do you think that
is a literal string?
Posted on 04-30-2015 04:58 AM
@sean I don't. I just made a stupid paste error. I removed it from my check as I'm not sure what format any of those time references will be in and I highly doubt that one file would ever be the only indicator on a machine. Thanks for catching my mistake.
Posted on 04-30-2015 07:58 AM
They appear to have been explicit with the format. Perhaps you could check for:
Posted on 04-30-2015 11:18 AM
Has anyone tried:
And, if so, would you share your compiled version?
Posted on 04-30-2015 11:37 AM
I find it humorous that you say only released 6-7 months ago, that is more than 50% of this version of OS life cycle. ok it will get another up to 12 months of security only updates and then again maybe it won't as you can see with this security threat.
Nah... they'll announce OS X 10.11 "Muscle Beach" at the WWDC in June and it'll be h@x0r-fr33!
Posted on 05-18-2015 02:33 PM
Actually, I didn't write the script, but helped with the concept. It was written my a member of our group.
So, SUID Scan script working for you?
Posted on 05-20-2015 07:26 AM
@uurazzle I'm getting this error on 10.9.5
com.apple.launchd.peruser.502 (edu.utah.scl.suid_scan.login): Job failed to exec(3) for weird reason: 13
most of the files seem to be there but the installer reported failed.
Posted on 05-20-2015 04:27 PM
Can you post the installer error log?
Posted on 05-20-2015 04:28 PM
We might want to move this to the github too vs debugging it here.
Can you post there or if not we can debug it here.
Posted on 05-21-2015 08:45 AM
went to github - done! Thank you.
Posted on 07-01-2015 01:49 PM
In reference to the ’rootpipe’ issue. OS X 10.10.3 and 10.10.4 contain fixes for Yosemite. The Security Update 2015-005 contains back ports of these fixes to OS X 10.9.5 only.
Currently, the solution for earlier OS’s is to upgrade to Mavericks or Yosemite and apply the latest updates.
Posted on 07-01-2015 02:05 PM
Note, we tested the Security Update 2015-005 on OS X 10.9.5, binaries created before the patch still retain the ability to gain root. So, keep this in mind if you are concerned your clients might have additional/modified binaries. Post patch, the exploit will not create new binaries.
So, you if you have clients file system to a known state or you can use suid_scan on a box that is in a known state and then use it to compare other boxes for additional suid binaries.
Posted on 07-01-2015 02:25 PM
Ugh - I saw the timestamp of 15 minutes ago and thought it was a new discussion. Glad to know I was just looking at an old topic :)