Hacker News new | ask | show | jobs
by jdmichal 4082 days ago
This is a hole that exists because an Apple-written application needed a method to gain elevated access. This was done through unpublished APIs which, when used by another application in a similar way, also resulted in elevated access.

So, this was clearly intentional, because it's used by Apple directly. And it allows illicit access, because any program can use it to gain access.
1 comments
3JPLW 4082 days ago
I'm not so sure. Unless I'm missing something, he doesn't demonstrate that this 'backdoor' is in use. It looks like they were using an escalation backdoor in `systemsetup`, but quickly patched a fix after 10.8.5. He just found a way around it.

Now, the fact that 'it takes too much effort' to backport would suggest that it was still in use. I don't see any other evidence, though. I'd be interested if someone found it!

link
jdmichal 4082 days ago
This seems to be the path followed:

systemsetup pointed to the Admin framework.

Admin framework analysis revealed use of "createFileWithContents". The function in which this use occurs is not named in the analysis.

An error message in the initial proof attempt led to "authenticateUsingAuthorization". Back to systemsetup to determine how to use "authenticateUsingAuthorization". (This is where I ended up mentally relinking the issue back to systemsetup.)

So, I concede that is is not stated where within the Admin framework this "createFileWithContents" method is invoked. However, I also agree that if that function was not used, it would be simple to remove it and the issue would be fixed.

link