macOS Exploit Published on the Last Day of 2017 (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

macOS Exploit Published on the Last Day of 2017 (bleepingcomputer.com)

Posted by msmash on Tuesday January 2, 2018 @03:30AM from the security-woes dept.

An anonymous reader shares a report: On the last day of 2017, a security researcher going online by the pseudonym of Siguza published details about a macOS vulnerability affecting all Mac operating system versions released since 2002, and possibly earlier. Siguza did not notify Apple in advance, so at the time of writing, there is no fix for this flaw. Despite the doom and gloom, the vulnerability is only a local privilege escalation (LPE) flaw that can only be exploited with local access to a computer or after an attacker has already got a foothold on a machine. The vulnerability grants root access to an attacker. The issue affects the IOHIDFamily macOS kernel driver, a component that handles various types of user interactions. Siguza said he read about various flaws in this component and took a look at it to find new ways to compromise iOS, Apple's mobile operating system, where IOHIDFamily is also deployed. The expert says he found the LPE flaw in the IOHIDFamily code specific to macOS versions only. In a tweet, Siguza said, "My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.

38 of 62 comments (clear)

Min score:

Reason:

Sort:

only a local privilege escalation by Anonymous Coward · 2018-01-02 03:38 · Score: 1

Oh, it's "only a local privilege escalation". No worries then.
1. Re:only a local privilege escalation by Penguinisto · 2018-01-02 03:42 · Score: 4, Insightful
  
  Oh, it's "only a local privilege escalation". No worries then.
  For the majority of use cases, that's pretty much it; you still have to convince someone to give you basic (local or remote) access to the box first.
  Same story on *any* OS, come to think of it.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
2. Re:only a local privilege escalation by TheFakeTimCook · 2018-01-02 04:17 · Score: 1
  
  oh wait... Anyone who has physical access AIN root on any mac dating back to 2002 and it remains unpatched... Yeah definitely unimportant. Nothing to see here. Move along.
  Kind Regards,
  Tim Cook
  While it is true that Macs are long-lived; I would be very surprised to see many G3 Macs still kickin' it in any sort of a production environment, SEVENTEEN years later...
  (Yes, I know it said "Starting with" 2002)...
3. Re:only a local privilege escalation by TheFakeTimCook · 2018-01-02 04:19 · Score: 1
  
  Or you could just log in as "root" no password required.
  Exactly. That would work on exactly ONE (minor-revisions) of ONE Major Revision of macOS.
  Go back to where you came from, Troll...
4. Re:only a local privilege escalation by TheRaven64 · 2018-01-02 04:29 · Score: 3, Interesting
  
  This looks as if it's exploitable even for sandboxed processes. This isn't such a big deal on macOS, where both users of the Mac App Store might need to worry, but most other people are only running sandboxed apps written by Apple (I'm not sure if WebKit renderer processes have direct HID access - I don't think they do, because HID events are proxied for them from the privileged component, though the XPC vulnerability a few months ago turned sandboxed WebKit component vulnerabilities into whole-machine compromises). It is a much bigger deal for iOS, where most users run not-very-trusted applications from the iOS App Store and rely on the sandbox framework to isolate them. The sandbox framework doesn't work so well on a compromised kernel.
  
  --
  I am TheRaven on Soylent News
5. Re:only a local privilege escalation by TheRaven64 · 2018-01-02 04:40 · Score: 2
  
  If you have a process running on macOS with ambient authority then in most cases a root exploit doesn't give you much - you can already access and modify everything that the user cares about. A vulnerability like this; however, can also be exploited by sandboxed applications (though hopefully not sandboxed daemons, which shouldn't have access to the HIDs).
  Most Apple apps are now sandboxed, as are Microsoft Office and anything that is distributed via the App Store. I posted above that most people don't use the App Store, so it's not a huge issue, but I hadn't considered all of the possible vectors. This means that MS Word macro vulnerabilities (and fun things like their OLE bug a little while ago where an incorrect length in a document led to arbitrary code execution), PDF / PNG / JPEG vulnerabilities in Preview, and so on can now be system-level compromises instead of sandboxed-application compromises. That's a pretty big difference: without a vulnerability like this, if I send a Mac user a malicious PDF that they open in Preview and trigger an arbitrary-code execution flaw, I get read access to all of the documents that they have open in Preview (and possibly write access to anything that they've saved in Preview recently), and might be able to trick the user into elevating privilege slightly from there. With this vulnerability, I get complete system access.
  
  --
  I am TheRaven on Soylent News
6. Re:only a local privilege escalation by guruevi · 2018-01-02 04:48 · Score: 2
  
  It's worse than that. It's a local privilege escalation, already patched in macOS 13.0.2 via ROP and race conditions during logout/shutdown of the computer, it requires a LOT of luck and is very time sensitive for it to work, in my testing most of the time the thing will either fail or crash the kernel.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
7. Re:only a local privilege escalation by ChrisKnight · 2018-01-02 05:22 · Score: 1
  
  In a business environment, where users are not allowed to be admins on their boxes, this is a frak'ng nightmare.
  
  --
  -- This sig is only a test. If this were a real sig it would say something witty. --
8. Re:only a local privilege escalation by Anonymous Coward · 2018-01-02 06:11 · Score: 1
  
  Yeah. "Told about" months ago. You mean some random person mentioned it on a random Apple discussion thread where it was picked up and read by either nobody or a low level tech support person. Wow. There ya go, it's a CON-SPIRACY!
  
  Also, what's your complaint anyway? That a big OS had security bugs and flaws? Ok, yes it did. I got news for you. MacOS 7 had them too. Now that the marketshare is high again, people are looking for them. but they've always been there. Just like in Windows. And whatever fake OS you run.
9. Re:only a local privilege escalation by Troed · 2018-01-02 06:40 · Score: 1
  
  I don't think it's patched.
  From the description (regarding the kernel slide part only):
  The technique explained below has for some reason stopped working on macOS High Sierra 10.13.2. I don’t know why and I didn’t bother to investigate, but the IOHIDFamily vulnerability is still there all the same. So while the hid binary in its current state will only work up to 10.13.1, you could just patch together hid and leak to get everything working on 10.13.2 - or even write a mach-port-based exploit out of leak, I hear mach ports are the real deal. :P
  
  --
  it's in my head
10. Re:only a local privilege escalation by guruevi · 2018-01-02 07:17 · Score: 1
  
  Yeah, so in theory it works but I've tried it, I can't get it to work. The kernel will literally block either the hid or the leak binaries from working, the bug may still be there but the kernel prevents it from working. But even on older kernels, the worst I got was a kernel panic, I never got root access or SIP to turn off on 10.12 or 10.13.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
11. Re:only a local privilege escalation by Hal_Porter · 2018-01-02 10:22 · Score: 1
  
  Stuxnet needed a local privilege escalation to work
  http://www.zdnet.com/article/s...
  
  As new details emerge to shine a brighter light on the Stuxnet attack, Microsoft said the attackers initially targeted the old MS08-067 vulnerability (used in the Conficker attack), a new LNK (Windows Shortcut) flaw to launch exploit code on vulnerable Windows systems and a zero-day bug in the Print Spooler Service that makes it possible for malicious code to be passed to, and then executed on, a remote machine.
  The malware also exploited two different elevation of privilege holes to gain complete control over the affected system. These two flaws are still unpatched.
  I.e. the problem is not your buddy lends you their machine, it's that code arrives by more dubious means and uses a privilege escalation to be able to do more damage.
  I could see Macs being hit with something which encrypts files and demands a password to decrypt them and privilege escalation would be necessary for such an attack.
  Best make sure you've got a Time Machine backup on a removable disk.
  
  --
  echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
12. Re:only a local privilege escalation by datavirtue · 2018-01-02 10:48 · Score: 1
  
  You are doing it wrong...it's a feature to help your aging macbook slow down and let you in case you forgot your password.
  
  --
  I object to power without constructive purpose. --Spock
13. Re: only a local privilege escalation by drinkypoo · 2018-01-02 16:38 · Score: 1
  
  You're suggesting Windows machines are Superior for longevity?
  No, but he accidentally implied it. I'll just go ahead and come out and say it, though. The G4 macs are still fast enough to be useful and the G5 macs are still fast enough to actually be snappy but Apple has abandoned them all. That's what you get for dicking around with precious architectures. Now that they are just making x86-64 PCs, though, they have no excuse for their weirdness.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
14. Re: only a local privilege escalation by Brockmire · 2018-01-03 09:16 · Score: 1
  
  He fully understood planned obsolescence and limited upgrade paths from the get go. Just ignore this Kool-aid drinking motherfucker. He takes personal butthurt when Apple is criticized.
Re:Alerting the devlopers by Wootery · 2018-01-02 03:54 · Score: 2

True, but as far as I can see Apple have never done that.
Re:Apple is getting fat and lazy by TheFakeTimCook · 2018-01-02 04:05 · Score: 1, Insightful

Without a visionary in charge, the company cuts corners and is losing major ground in 2018. If I owned Apple stock it'd be sold today.
The best thing that could happen to Apple (and to Apple users) is if Elon Musk took control of Apple without him losing any influence at Tesla or SpaceX.
These companies are a good fit, really. Tesla would have Apple product design power and Apple could benefit from someone clearly on Steve Jobs' visionary and operational level.
Something like this or similar: https://www.marketwatch.com/st...
Stupid. Fucking. Hater. Die Hater, Die!!!
From TFS, this Vulnerability has likely been around since 2002. Steve Jobs didn't die until late 2011.
So, what in the FUCK does the loss of a "visionary" have to do with this Exploit?
Answer: Abso-lutely FUCKING NOTHING!!!
So, go Hate somewhere else, Moron! We're busy here...
Re:Apple is getting fat and lazy by squiggleslash · 2018-01-02 04:06 · Score: 4, Insightful

Early on in Mac OS X's (as it was then) history, Apple released the very first version of Safari. At that point, thanks to the Jobs vision of "It just works" coupled with the way earlier Mac OSes had run, to install an application (including setting it up to open files of a particular type by default) you just needed to copy the application to your hard drive. Anywhere on the hard drive. It didn't matter where. The operating system would automatically set everything up.
(And, to be fair, that's not a bad way to work, except...)
Well, Safari would also open and extract any ZIP or .SIT (a Mac specific archive format) file if you downloaded it. Automatically. It woudn't ask you, it just assumed you wanted that. Because, remember, Steve Jobs, "It just works".
So to install an application on someone else's Mac, all you had to do was make your web page redirect to a ZIP file, containing the application. And if, say, you made that application open files with a common suffix, and you also send a file with that suffix, then the moment the curious user double clicked it, it'd launch your application.
It took months before everyone was able to persuade Apple this was a bad idea and a version of Safari was released that didn't automatically open Zip files.
Jobs had vision. But to infer from that he was security minded would be a mistake. He was interested in making computers easy to use, but security got in the way of that, and it took a long time before anyone inside or outside of Apple figured out how to make security easy to use as well.

--
You are not alone. This is not normal. None of this is normal.
Re:Alerting the devlopers by Anonymous Coward · 2018-01-02 04:10 · Score: 1

Ya they kinda do.
https://www.techdirt.com/articles/20111107/18193216671/find-vulnerability-apple-software-lose-your-license-as-apple-developer.shtml
Re:Apple is getting fat and lazy by Mordaximus · 2018-01-02 04:15 · Score: 4, Funny

Without a visionary in charge, the company cuts corners and is losing major ground in 2018.
Apple is losing major ground, one business day in to 2018? Better sell stocks stat!
Re:Apple is getting fat and lazy by MachineShedFred · 2018-01-02 04:17 · Score: 1

Wait a second... are we returning to the days of "beleaguered" Apple? Do we get to pull that off the shelf again? It's been like 20 years since we've been able to use that...

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Impressive by 110010001000 · 2018-01-02 04:17 · Score: 2

Reading the writeup I would say this guy really knows his Mac internals. Apple is getting better at security though: the last root exploit only required you to type "root" and no password. And the one before that required a single line of script to get root.
1. Re:Impressive by Farmer+Tim · 2018-01-02 10:11 · Score: 1
  
  ...the last root exploit only required you to type "root" and no password.
  A computer does exactly as it’s instructed and you complain. There’s just no pleasing some people...
  
  --
  Blank until /. makes another boneheaded UI decision.
2. Re: Impressive by Brockmire · 2018-01-03 09:42 · Score: 1
  
  Complain about Apple, which instructed the computer to be incompetent. Bro, do you even computer?
Re:Apple is getting fat and lazy by MachineShedFred · 2018-01-02 04:26 · Score: 4, Interesting

The good news is that even on the absolute first version of OS X, if you wanted to do anything that was outside the user home folder, or even with the user's keychain, it would ask for your password.
I don't know about you, but if you go to a web site and then it starts asking for your system password, YOU DO NOT PUT IT IN.
You are correct that Safari auto-expanding compressed archives wasn't a good idea. However, the inherent security design that the actual engineers managed to persuade Jobs to keep in the OS prevented major damage from things like that, to the point that even Jobs was recounting his at-the-time skepticism and praising that design and those engineers in on-stage interviews years later.
No operating system is without flaws. However, mix a bit of common sense in with good design, and you come out ahead of just good design.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Re:Alerting the devlopers by TheFakeTimCook · 2018-01-02 04:27 · Score: 4, Informative

Ya they kinda do.
https://www.techdirt.com/articles/20111107/18193216671/find-vulnerability-apple-software-lose-your-license-as-apple-developer.shtml
They didn't SUE. They simply revoked his Developer Cert.
Which is EXACTLY what they SHOULD have done.
Charlie Miller is no fool. One would ASSUME he knows the rules. But instead, he thought he'd be snarky and submit an iOS App that he KNEW violated his Developer Agreement, and then, when the App got Approved, he LEFT IT UP FOR A MONTH, where ANYONE could have downloaded and "learned" from it.
Yeah, he deserved what he got; regardless of how "altruistic" his intentions were (which I believe they actually were).
But he DIDN'T get SUED.
Re:Apple is getting fat and lazy by squiggleslash · 2018-01-02 04:36 · Score: 1

The good news is that even on the absolute first version of OS X, if you wanted to do anything that was outside the user home folder, or even with the user's keychain, it would ask for your password.

...yeah, about that. I didn't think that was a good idea either. At least not at the time, though again this might have been fixed by now, just like the Safari bug. Anywho, here's why:
The password thing was to verify that you had permission to allow something dangerous to occur. But in 99% of cases, you do have that permission. Realistically, it should only be asking you if you're not an admin. But wait, that's not my major complaint.
...no, my major complaint is that the user had no way at all of verifying that the thing they thought was asking for your password was the thing that was actually asking for your password. So, let's go back to 2002 (or whenever it was Safari came out, I can't remember.)
You write your Trojan and get it to your victim's hard drive. Victim clicks on a JPEG and it opens your application, and your application then starts the application the victim thinks should have opened it while going into the background.
After five minutes, you pop up something that looks exactly like the Software Update dialog. The user sees there's some minor, quick, update that's also very important, that needs to be run, so they click Update, and up pops the administrator password dialog.
And they enter the password. And now your application, which is what really put up both the Software Update and Password dialog, now has your password. And through that root access (via sudo) to your PC.
Like I said, they may have fixed this by now, but certainly in the first few revisions of the operating system, this was an awful idea awfully executed, against presumably because of a "Just works" mentality that worked against making it harder. Incredibly, Microsoft got this right: it doesn't generally ask for a password, instead: if you're logged in as an admin, it asks permission without needing to further verify it's you, and if you're not, it tells you to log in with sufficient rights.

--
You are not alone. This is not normal. None of this is normal.
Re:Apple is getting fat and lazy by lucasnate1 · 2018-01-02 05:40 · Score: 3, Insightful

Stupid. Fucking. Hater. Die Hater, Die!!!
Why the fuck did this get (+5)?

--
Avantgarde Hebrew science fiction
This is sooooo 2017 by DickBreath · 2018-01-02 07:25 · Score: 2

A vulnerability from back in 2017 is probably old enough to not be worth fixating.

--

I'll see your senator, and I'll raise you two judges.
1. Re:This is sooooo 2017 by XxtraLarGe · 2018-01-02 07:59 · Score: 1
  
  A vulnerability from back in 2017 is probably old enough to not be worth fixating.
  I remember 2017 like it was only a couple of days ago...
  
  --
  Taking guns away from the 99% gives the 1% 100% of the power.
Re:Apple is getting fat and lazy by TheFakeTimCook · 2018-01-02 08:39 · Score: 1

Stupid. Fucking. Hater. Die Hater, Die!!!
Why the fuck did this get (+5)?
I dunno. Maybe because I was RIGHT.
The bigger question would be why is YOUR post +4 INSIGHTFUL?
WTF "Insight" is there in asking why someone ELSE was modded UP???
Chinese USB Something ? by AncalagonTotof · 2018-01-02 09:40 · Score: 1

I read IOHIDFamily, which contain IO and HID. Obviously, but, this means USB to me, and, doing basic math, I'm wondering whether a no-name Chinese USB device could use this hole to implant some malware.

--
Totof
Re:Apple is getting fat and lazy by mfh · 2018-01-02 10:05 · Score: 1

Thanks. That was funny.

--
The dangers of knowledge trigger emotional distress in human beings.
Re:Apple is getting fat and lazy by MachineShedFred · 2018-01-02 10:06 · Score: 1

That's not been an issue if the user isn't blindly putting in their password to everything that pops up - the box that pops up for authentication is presented by the authentication library and gives the name of the calling application and is somewhat generic. The historic Software Update box has always looked unique, and lists what updates it would be downloading and immediately asks for your password upon clicking "install" and is identified as Apple Software Update. Now, they are done through the App Store, which would be even harder to spoof.
I see what you are saying though - yes it's probably possible to go through some form of convoluted combination of exploits and vulnerabilities to "own" someone, but that is the case with every OS. The fact that it hasn't happened in 15+ years says something about how difficult it would be to do, though it isn't the complete story by any means.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Re:Apple is getting fat and lazy by drinkypoo · 2018-01-02 16:33 · Score: 1

That's not been an issue if the user isn't blindly putting in their password to everything that pops up
Welcome to the Real World(tm) where users act like idiots all day, every day.

I see what you are saying though - yes it's probably possible to go through some form of convoluted combination of exploits and vulnerabilities to "own" someone, but that is the case with every OS. The fact that it hasn't happened in 15+ years says something about how difficult it would be to do, though it isn't the complete story by any means.
What hasn't happened in 15+ years? OSX? There's been plenty of people trojan'd on OSX.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Apple is getting fat and lazy by drinkypoo · 2018-01-02 16:34 · Score: 1

Why the fuck did this get (+5)?
Same reason posts critical of Apple get modded down... iFanboys with modpoints.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re: Apple is getting fat and lazy by Brockmire · 2018-01-03 09:30 · Score: 1

Right about what? The guy didn't mention Jobs once. You fucking did. Comment on the 15 year old exploit and the constant fuckupery as of late. You're a fucking joke.
Re: Apple is getting fat and lazy by Brockmire · 2018-01-03 09:32 · Score: 1

Shit, he did mention Jobs and called him a visionary, my bad. Carry on attacking him.