Reply to post: Re: Ayyy LMAO

Get root on an OS X 10.10 Mac: The exploit is so trivial it fits in a tweet

Anonymous Coward
Anonymous Coward

Re: Ayyy LMAO

It's the correct behaviour. Read the flaw description:

DYLD_PRINT_TO_FILE opens another file descriptor for the given target *and doesn't close it afterwards* so leaks it to the subshell.

As for why it works, just try these:

echo id | newgrp

echo 'echo $HOME' | newgrp

(these work on Linux too, by the way).

* newgrp starts a shell (see 'man newgrp')

* the shell detects it's not connected to a tty, so runs in non-interactive mode (see 'man bash')

* in non-interactive mode, it reads and processes commands on stdin then terminates

The reason for using 'newgrp' in this context is because it's a setuid binary, so runs with root privileges. Of course it drops them by the time the shell is run, but by then it's too late: the DYLD_PRINT_TO_FILE feature of the dynamic linker has already opened the file, and left the open file descriptor around for the child shell to consume (as file descriptor 3, since 0-2 were already in use as stdin/stdout/stderr)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019