Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Project Zero Team Releases Details On High-Severity macOS Bug 'BuggyCow' (wired.com)

Posted by BeauHD on from the be-afraid-be-very-afraid dept.

Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change.

Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

40 comments

  1. COW by Anonymous Coward · · Score: 0

    I wonder how much like DirtyCOW this is. I guess it goes to show the meat eaters were right: a cow would kill you if it had the chance.

  2. Backwards Wired? by Anonymous Coward · · Score: 1

    "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory."

    What's with the dumbed-down language, Wired? "obscure oversight"? "so-called" this and that? Please do tell, this so-called high-severity so-called bug, is it so-called dangerous to the so-called victim?

    At least, if one manages to waddle through to the last paragraph, there's this guarded piece of criticism:

    "They've had a lot of very-high-profile security-related bugs and some have been really, really stupid," Reed says. "It makes you wonder what's going on with the QA process at Apple. Are they adequately testing? Lately, it seems like they're not."

    Apple: copying Microsoft's Win XP security practices takes courage - and now has far better eye candy!

  3. Single-user machines by gnasher719 · · Score: 2, Informative

    On a single user machine, privilege escalations are not really that damaging. If you manage to hack into my user account on my Mac (or my Windows PC, or many Linux desktops), you have access to all the valuables. There is just nothing of value outside my account.

    Totally different on a server. If you have 100 users on a server, then escalation from one hacked user to the other 99 is a fatal problem.

    1. Re:Single-user machines by Anonymous Coward · · Score: 0

      It's pretty damaging even on a single user machine (honestly kind of a bizarre claim on slashdot that untrusted code running at highest priveleges is no big deal). Breaching a user account gives you all the user's files, and that's pretty severe, yes. Breaching an admin account lets you change the software that deals with files, and networking, joins a botnet, etc..

    2. Re:Single-user machines by Anonymous Coward · · Score: 0

      Please tell us more about user permissions on a modern OS. Nobody here knows anything about it.

    3. Re:Single-user machines by geek · · Score: 1

      On a single user machine, privilege escalations are not really that damaging. If you manage to hack into my user account on my Mac (or my Windows PC, or many Linux desktops), you have access to all the valuables. There is just nothing of value outside my account.

      Totally different on a server. If you have 100 users on a server, then escalation from one hacked user to the other 99 is a fatal problem.

      Now do domain joined systems + lateral movement in the environment. Priv esc is devastating, especially from an APT perspective when trying to establish persistence. Stop trying to minimize this like its no big deal someone just fucking owned your box completely.

    4. Re:Single-user machines by dgatwood · · Score: 4, Informative

      Breaching a user account gives you all the user's files, and that's pretty severe, yes. Breaching an admin account lets you change the software that deals with files, and networking, joins a botnet, etc.

      Most single-user machines don't have a separate admin account. So breaching the user's account is breaching an admin account. That's why the GP said that for single-user machines, privilege escalation rarely matters.

      Of course, it isn't *quite* true. There are processes like the keychain that provide some additional privilege separation between apps. If the keychain happens to store out-of-band mach message data in a vulnerable location, then this could lead to arbitrary code being able to modify keychain requests from other apps to steal passwords somehow. Maybe. But realistically, those sorts of communication mechanisms shouldn't be storing data to disk even temporarily.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    5. Re:Single-user machines by angel'o'sphere · · Score: 1

      That is only semi correct.
      An singe user Mac has an account that has an "is admin flag", and that simply only means: he can use sudo.
      So: you still need to escalate somehow to root to do anything meangful.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    6. Re:Single-user machines by Anonymous Coward · · Score: 0

      You're repeating his point moron, just in different words. He's saying a single box being pwned doesn't result in any lateral problem in a properly sanitized, vm'ed vlan'ed network. A windows LAN or Mac Bonjour handjob party is not that.

      You missed the point, and you pretended to be some kind of 13370-cheeto cracker but we know you aren't that. You just owned yourself, completely.

    7. Re:Single-user machines by dgatwood · · Score: 1

      Depends on what you mean by meaningful. As a user in the admin group, without becoming root, you can:

      • Add per-user login items and launchd daemons and agents
      • Install applications in /Applications.
      • Monkey with /Users
      • Access core dumps from system daemons
      • Connect to non-keyboard HID devices
      • Access the camera and microphone

      And there are probably a lot more mischievous things that one can do with code running as a non-root admin user that I'm not thinking of. :-) Some of the things in the list above don't even require you to be in the admin group. In particular, it would be trivial to add a device to a botnet even without being an admin user.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    8. Re:Single-user machines by 93+Escort+Wagon · · Score: 4, Insightful

      Most single-user machines don't have a separate admin account.

      Mine does. And MacOS makes it trivially easy to run as a non admin, only invoking admin rights when necessary.

      I try to encourage everyone in my circle to set their computers up that way. Occasionally I’ve even been successful.

      --
      #DeleteChrome
    9. Re:Single-user machines by dgatwood · · Score: 1

      I try to encourage everyone in my circle to set their computers up that way. Occasionally I’ve even been successful.

      That about sums it up. :-)

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    10. Re:Single-user machines by Anonymous Coward · · Score: 0

      Depends on what you mean by user.

    11. Re: Single-user machines by Anonymous Coward · · Score: 0

      you're an idiot my friend.

      on android for instance, each app runs as a separate user. each modern, well set-up "single user" machine uses some kind of user containers to run vulnerable processes (eg the javascript from a webpage). yes, on a unix system like macos or android (linux) a privilege escalation makes the difference between a gadget that won't stop blinking or auto starting video in a webpage, and you being pownwd and having child pron planted on your harddrive.

    12. Re:Single-user machines by AmiMoJo · · Score: 1

      Most single-user machines don't have a separate admin account.

      This hasn't been true since 2006 when Windows Vista came out, 13 years ago.

      With Vista the default user account became a non-admin one. Vista also introduced new system accounts that you can't log in to.

      On top of that you have UAC, which means that even with an admin account certain actions require extra confirmation from the user.

      So yeah, privilege escalation on a single user Windows machine is pretty severe. Does MacOS really not have this kind of security model?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Single-user machines by Anonymous Coward · · Score: 0

      It doesn't help. Everything of value is accessible to the non-admin account. Generally, the only stuff the admin account has sole access to is stuff that doesn't really matter because it can be fixed with a re-install anyway.

    14. Re:Single-user machines by swillden · · Score: 1

      Most single-user machines don't have a separate admin account.

      Mine does. And MacOS makes it trivially easy to run as a non admin, only invoking admin rights when necessary.

      It's the default, isn't it?

      But this doesn't really undermine the claim that privesc doesn't matter much on single-user machines with traditional ownership models. Most everything of value on the machine will be owned by the non-admin user account anyway.

      This, BTW, is why the app isolation that mobile OSes do is so important. If you get arbitrary code execution in one app on my Android phone, you only get to see that app's data. You need some privesc vuln to get to anything else. But desktop OSes still have flat access control models where most everything is owned by one user account, and any process running as that user can read all of it.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    15. Re:Single-user machines by Bordena · · Score: 1

      yes its exactly safe your kids and you can also choose different apps in different admin panels Bordena #Safekids

    16. Re:Single-user machines by sad_ · · Score: 1

      they are no longer interested in your data, they want to have an army of remote controlled bots.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
    17. Re:Single-user machines by 93+Escort+Wagon · · Score: 1

      It's the default, isn't it?

      But this doesn't really undermine the claim that privesc doesn't matter much on single-user machines with traditional ownership models. Most everything of value on the machine will be owned by the non-admin user account anyway.

      No, it’s not the default - the first account created is an admin account, and for many single-user Macs that ends up being the only account. And for family computers, it means Mom’s account or Dad’s account is an admin by default - unless one decides to take the extra step.

      I wasn’t really intending the point specifically with regard to privilege escalation. If you’re specifically targeted as an individual, you could reasonably argue it probably doesn’t help much. But at a minimum you’re increasing the complexity of what is necessary for someone to own your machine - and it’s basically painless so why not take that extra step?

      (and don’t give your kids your admin password, sis!)

      --
      #DeleteChrome
    18. Re:Single-user machines by swillden · · Score: 1

      If you’re specifically targeted as an individual, you could reasonably argue it probably doesn’t help much.

      Even if you're not targeted specifically, but just a target of opportunity.

      But at a minimum you’re increasing the complexity of what is necessary for someone to own your machine - and it’s basically painless so why not take that extra step?

      No argument there, though I still maintain that protecting the machine is close to irrelevant. What matters is the data on the machine.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  4. Unmount filesystem by 110010001000 · · Score: 1

    You can unmount/mount a file system without privileges on OSX? I don't think so.

    1. Re:Unmount filesystem by Anonymous Coward · · Score: 1

      Ah - so in other words, "root owns the computer." Next up, linux systems vunerable to "insmod malware"

      FROM THE ARTICLE:

      "To even start carrying out this Rube Goldberg–style attack, a hacker would need a victim to already have some form of malware running on their computer" (emphasis mine).

    2. Re:Unmount filesystem by Anonymous Coward · · Score: 0

      a hacker would need a victim to already have some form of malware running on their computer

      Serious question: Does Google Chrome count as malware? (Think carefully before answering.)

    3. Re: Unmount filesystem by Anonymous Coward · · Score: 0

      I bet Google thinks of it as malware but it runs in a sandbox on most systems and poses no threat whatsoever.

    4. Re:Unmount filesystem by Anonymous Coward · · Score: 0

      "Oh yes, I thought of something," panted Ford.
      Arthur looked up expectantly.
      "But unfortunately," continued Ford, "it rather involved being on the other side of this airtight hatchway." He kicked the hatch they'd just been through.

  5. So could a "___ is for cows" post be relevant? by Anonymous Coward · · Score: 0

    [nt]

  6. Mounting a filesystem requires root. by dgatwood · · Score: 1

    Mounting a filesystem anywhere that should actually matter (e.g. /tmp, /var/tmp) typically requires root privileges even in macOS. And any software that might realistically store out-of-bound data in a location where an unprivileged attacker could mount something over top of it (e.g. in the user's home directory) is not likely to be any more privileged than the attacker app.

    Is there any actual evidence that this is a real vulnerability, rather than a purely hypothetical one? I mean yes, it's a bug, but in my mind, high severity should be reserved for situations where the bug itself poses a reasonable chance of letting someone destroy or compromise user data, not situations where the author of a critical system daemon does something colossally stupid *and* the bug exists. The high-severity vulnerability would be the critical system daemon storing temporary data in a vulnerable location. This would just be the low-severity springboard that makes that high-severity bug more severe.

    Am I missing something?

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

    1. Re:Mounting a filesystem requires root. by geek · · Score: 1

      You haven't needed root to mount a filesystems in over a decade. Not sure what you mean here. All your user needs is permissions. Pop a thumb drive into your system, no root required.

    2. Re:Mounting a filesystem requires root. by dgatwood · · Score: 1

      You haven't needed root to mount a filesystems in over a decade. Not sure what you mean here. All your user needs is permissions. Pop a thumb drive into your system, no root required.

      Reread what I said.

      Mounting a filesystem anywhere that should actually matter requires root privileges even in macOS.

      Typically, you can only mount things over top of directories that you own. The Disk Arbitration framework also allows you to mount things in /Volumes as a special case, by sending requests to a daemon (diskarbitrationd) that runs as root. But I'm 99.9% certain that the permission to do so is not arbitrarily broad.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:Mounting a filesystem requires root. by angel'o'sphere · · Score: 1

      But it is mounted under /Volumes and not at a random place belonging to root.

      --
      Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
    4. Re:Mounting a filesystem requires root. by Anonymous Coward · · Score: 1

      You haven't needed root to mount a filesystems in over a decade. Not sure what you mean here. All your user needs is permissions. Pop a thumb drive into your system, no root required.

      Please turn in your geek card, geek (5680). Physical access trumps everything; you don't need root if you have physical access.

  7. Need I? Can I? Should I? by Anonymous Coward · · Score: 1

    And the cow goes... ... mooooo!

  8. BuggyCow.. by Anonymous Coward · · Score: 0

    The perfect name for all apple software

  9. Bias? by The1stImmortal · · Score: 1

    This article is really oddly phrased.
    From how I read this, you can basically silently substitute arbitrary code or data pages of programs running in memory. Even ones that might say use security hardware like the T2 chip to make itself less vulnerable even to root based attacks. And from the article, you just have to first execute code on the machine - a feat which with modern browser based and hardware flaw exploits, or even just plain phishing, isn't hard.
    And of course, the memory manager/vfs allowing you to swap out in-use disk backed pages is nuts. There seems like there could be a lot of other bugs and exploits there.
    If this was a windows flaw it'd be a big deal.

    Of course, Apple probably doesn't care, because their long term aim is to get you on a platform where, in theory, you never run software or access information they haven't vetted beforehand anyway.

  10. All you need is permission? by Anonymous Coward · · Score: 0

    This attack also requires "a hacker" to mount it. The attack. And the filesystem. At least that's what wired so breathlessly implies.

    Apparently BeauHD likes this sort of breathless bullshit also.

  11. #Buggycow #IWD by Anonymous Coward · · Score: 0

    Well it IS International Women's Day today.
    #Buggycow #IWD

  12. Its difficult for new bis to understand by Bordena · · Score: 1

    Its quite difficult to understand the bug in start Bordena

    1. Re:Its difficult for new bis to understand by Anonymous Coward · · Score: 0

      Your bot sucks, it isn't even spamming links correctly. Kill yourself, amateur.