Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the example analysis of macOS 0-day empowerment loopholes, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

On December 31, 2017, a security researcher with the Twitter account Siguza released the details of the macOS 0-day vulnerability. The vulnerability is a local entitlement vulnerability that affects all macOS versions and mainly involves the kernel driver IOHIDFamily of human-computer interface devices such as touch screens, buttons, accelerometers, etc. An attacker can take over the system completely by exploiting this vulnerability by arbitrarily reading / writing in the kernel, executing arbitrary code and obtaining root permission. According to Siguza, the vulnerability dates back to 2002.

Siguza was originally analyzing the vulnerability of IOHIDFamily in iOS, but found that the IOHIDSystem component exists only on macOS, and finally discovered this vulnerability.

I initially wanted to study IOHIDSystem components, hoping to find a vulnerability that could penetrate the iOS kernel. It turns out that some parts of IOHIDFamily (especially IOHIDSystem) exist only on macOS, and as a result, this vulnerability in IOHIDFamily components is found on macOS.

Siguza has also released PoC code called IOHIDeous, which can be exploited on Sierra and High Sierra (up to 10.13.1) to gain full kernel read / write access and disable system integrity protection (SIP) and Apple mobile file integrity (AMFI) protection. Unprivileged users can also exploit this vulnerability on all the latest versions of macOS.

Figure: vulnerable IOHIDSystem code

As shown in the figure above, eop- > evGlobalsOffset = sizeof (EvOffsets); and evg = (EvGlobals *) ((char *) shmem_addr + eop- > evGlobalsOffset); there is a problem with these two lines.

Where the value of eop- > evGlobalsOffset can be changed, so it causes evg to point to other unintended results.

More technical analysis details can be found here.

Experiments show that the vulnerability uses the code to run very fast, can avoid user interaction, and even "can run ahead of user logout and kernel antivirus" when the system is shut down. This means that when a user logs out, restarts, or shuts down the computer, he or she can be attacked, and the attacker gains root privileges, not even a social worker.

However, the PoC code released by Siguza does not seem to apply to Apple's version 10.13.2, which was just released on December 6, 2017, but he believes there may still be problems with this version.

For some reason, my timing attack didn't work on High Sierra 10.13.2, but I won't go any further. Maybe it's because of the patches in version 10 and 13, maybe it's just a consequence of random changes, which I neither know nor care about. The vulnerability still exists, and this PoC reflects the information disclosure and kernel read / write features of the vulnerability, but these two features are not in the same binary file.

My main goal is to let people know about this loophole. I won't sell exploit to hackers because I don't want to help. If Apple's vulnerability reward program included a vulnerability in macOS, or if it was exploited remotely, I would have submitted this vulnerability to Apple a long time ago.

Siguza publicly disclosed the macOS 0-day vulnerability because it had been exploited by a local attacker and was not covered by Apple's vulnerability reward program. Therefore, the loophole has not been fixed yet. Because this vulnerability can only be exploited if the computer is accessed locally or if the attacker has hacked into the computer, it may be listed as a non-serious problem by Apple and will not be urgently fixed.

After reading the above, do you have any further understanding of the example analysis of the macOS 0-day entitlement vulnerability? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.