Application Enhancer can be used to gain root privileges under Mac OS X
The eighth bug in the Month of Apple Bugs this time concerns a local privilege escalation vulnerability in Application Enhancer (APE) - the very tool that Landon Fuller's group has been using to install MOAB fixes for the previous vulnerabilities. APE is a combination of framework and system service, which allows running applications to be modified in memory using modules - without touching the files on the disk. This uses the Application Enhancer daemon (aped), which runs with root privileges, but drops back to normal user privileges for the applications it launches.
However, the framework is installed in the /Library/Frameworks directory, a path to which Mac users usually have write access. An attacker could patch the Application Enhancer such that the application called using APE, retains root privileges. An attacker could then escalate his access privileges without entering a root password - if he is able to penetrate the Mac from the network, using another vulnerability. A similar vulnerability in Apple's DiskManagement was published just last week as part of the MOAB. A Ruby exploit to demonstrate the problem, a script that patches the APE daemon, can be downloaded from the MOAB website. The demo requires a system restart. The current version, 2.0.2, of APE and previous versions are affected.
Whilst the workaround suggested by the Month of Apple Bugs activists is to stop using APE, Landon Fuller suggests that administrators simply block write access to /Library/Frameworks: sudo chmod g-w /Library/Frameworks.
- Application Enhancer (APE) Local Privilege Escalation, bug report from MOAB