On New Year’s Eve, a researcher going by “Siguza” released details of a MacOS kernel exploit that dates back to 2002. A successful attack could offer adversaries complete root access to targeted systems.
Siguza (“a hobbyist hacker”) announced the details on Twitter with a link to a technical write-up detailing the research, wishing followers a “Happy New Year”. The entire project is available on GitHub, and the write-up includes a detailed list of linked references.
Siguza described it as a “macOS kernel exploit based on an IOHIDFamily Oday”. The IOHIDFamily is a kernel extension, which offers an interface for human interface devices, such as keyboards and mice, which can be applied by vendors.
The exploit comprises of three parts:
- “poc panics the kernel to demonstrate the present of a memory corruption, should work on all macOS versions
- leak leaks the kernel slide, could be adapted to other versions but as-is works only on High Sierra
- hid achieves full kernel r/w, tested only on Sierra and High Sierra (up to & including 10.13.1), might work on earlier versions too”’
The local privilege escalation (LPE) attack is only possible if there is a pre-existing foothold on targeted systems. This means that LPEs are not usually considered to be critical vulnerabilities.
An attacker who wishes to exploit the vulnerability has a range of options, depending on the level of access previously gained on the targeted system.
“Even in the most extreme case, where an attacker must first compromise an unprivileged process, evidence of the attack may be visible to the user” said Jasiel Spelman, senior vulnerability researcher at Zero Day Initiative (ZDI). He added, “Specifically, in order to trigger this bug, the user must logout, either forcibly by the attacker, or manually by the user while the attacker’s code waits for an opportune moment. If successful, the attacker will be able to escalate to have kernel privileges.”
Spelman said this kind of vulnerability, in which data from userland is trusted, has existed for a long time. “The assumption that was made, and unfortunately not enforced, was that only a trusted process would be able to access the vulnerable code path. The researcher managed to break that assumption through the use of the forced logout,” he said.
Jason Haddix, head of trust and security at Bugcrowd, said the most concerning aspect of this bug is the fact that it has existed for so long. “We see this every so often where a bug has been latent in a system for years and no one has found it – or we hope no one has. It does go to show that automation, which Apple is no-doubt using, is not a catch-all solution for finding bugs.”
A patch of the MacOS kernel exploit is expected by Apple later this month as part of a larger update.