A security researcher on brand new Year’s eve made public the details of an unpatched security vulnerability in Apple’s macOS operating system which can be exploited to take complete control of a system.
On the first day of 2018, a researcher using the online moniker Siguza released the details of the unpatched zero-day macOS vulnerability, which he suggests is usually at least 15 years old, along with also proof-of-concept (PoC) exploit code on GitHub.
The bug is usually a local privilege escalation (LPE) vulnerability which could enable an unprivileged user (attacker) to take control of a system if they have physical access to the affected system to execute malicious code along with also obtain root permissions.
coming from looking at the source, Siguza believes This kind of vulnerability has been around since at least 2002, yet some clues suggest the flaw could actually be ten years older than which. “One tiny, ugly bug. Fifteen years. Full system compromise,” he wrote.
This kind of local privilege escalation flaw resides in IOHIDFamily, an extension of the macOS kernel which has been designed for human interface devices (HID), like a touchscreen or buttons, allowing an attacker to install a root shell or execute arbitrary code on the system.
“IOHIDFamily has been notorious from the past for the many race conditions the item contained, which ultimately lead to large parts of the item being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements,” the researcher explains.
“I was originally looking through its source from the expect of finding a low-hanging fruit which would certainly let me compromise an iOS kernel, yet what I didn’t know the item then is usually which some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability.”
The exploit created by Siguza, which he dubbed IOHIDeous, affects all versions of macOS along with also enables arbitrary read/write bug from the kernel.
Besides This kind of, IOHIDeous also disables the System Integrity Protection (SIP) along with also Apple Mobile File Integrity (AMFI) security features which offer protection against malware.
The PoC code made available by Siguza has for some reason stopped working on macOS High Sierra 10.13.2 along with also works on macOS High Sierra 10.13.1 along with also earlier, yet he believes the exploit code can be tweaked to work on the latest type as well.
However, the researcher pointed out which for his exploit to work, the item needs to force a log out of the logged-in user, yet This kind of can be done by creating the exploit work when the targeted machine is usually manually shut down or rebooted.
Since the vulnerability only affects macOS along with also is usually not remotely exploitable, the researcher decided to dumped his findings online instead of reporting the item to Apple. For those unaware, Apple’s bug bounty program does not cover macOS bugs.
For in-depth technical details about the vulnerability, you can head on to researcher’s write-up on GitHub.