MacOS LPE Exploit Gives Attackers Root Access

A researcher that goes by the handle “Siguza” released details of a local privilege escalation attack against macOS that dates back to 2002. A successful attack could give adversaries complete root access to targeted systems.

Siguza released details of the attack on Dec. 31 via Twitter, wishing followers a “Happy New Year” and linked to a technical write-up outlining the research.

The local privilege escalation (LPE) attack requires a pre-existing foothold on targeted systems. For that reason, LPEs are generally not considered critical vulnerabilities.

“An attacker needs to already have a presence on the system to take advantage of this vulnerability. This could be through infecting the target system via a remote vulnerability, such as a Safari bug, or could be through physical access, such as on a kiosk-type system,” said Jasiel Spelman, senior vulnerability researcher with Zero Day Initiative.

“The most troubling thing about this vulnerability is that it has existed for years,”  Spelman said. “Worse yet, is that this vulnerability exists in open-source components.”

Apple did not return a request for comment for this story.

The vulnerability identified by Siguza allows for compromise of the IOHIDFamily macOS kernel driver from a process with low privileges. The IOHIDFamily is a kernel extension that provides an interface for human interface devices, such as keyboards and mice, which can be implemented by vendors, describes ZDI.

“This particular code path is only supposed to be used by a privileged process known as WindowServer, however part of this attack involves breaking the assumption that WindowServer will interact with this particular component within IOHIDFamily,” Spelman said.

An attacker wanting to exploit the vulnerability has several options, depending on the level of access already gained on the targeted system.

“Even in the most extreme case, where an attacker must first compromise an unprivileged process, evidence of the attack may be visible to the user. Specifically, in order to trigger this bug, the user must logout, either forcibly by the attacker, or manually by the user while the attacker’s code waits for an opportune moment. If successful, the attacker will be able to escalate to have kernel privileges,” ZDI wrote.

Spelman said this type of vulnerability, where data from userland is trusted, has existed for years. “The assumption that was made, and unfortunately not enforced, was that only a trusted process would be able to access the vulnerable code path. The researcher managed to break that assumption through the use of the forced logout,” he said.

Siguza stated via Twitter he declined to first share his research of the macOS exploit with Apple and opted instead to post it online for maximum exposure to the problem.

“My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable,” Siguza said in a tweet.

A patch for the bug is expected by Apple later this month as part of a cumulative update, say experts.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!